Oihana PHP System

Permission extends Intangible

Represents a Casbin permission rule for Role-Based Access Control (RBAC).

A Permission defines what a subject (user, role, or permission) is allowed or denied to do on a given resource within a specific domain. It is directly compatible with Casbin policy enforcement.

Components

  • subject: The entity performing the action (user:123, role:admin, perm:read:org)
  • domain: The context or namespace for the permission (api.my_domain.tld, my-app)
  • object: The resource being accessed (/organizations, /documents/:id)
  • action: The allowed operations (GET, POST, PATCH|PUT, etc.)
  • effect: Whether access is granted or denied (allow or deny)

Usage Example

use xyz\oihana\schema\auth\Permission;
use xyz\oihana\schema\constants\Effect;

$perm = new Permission
([
    'subject' => 'role:admin' ,
    'domain'  => 'api.my-domain.tld' ,
    'object'  => '/documents/:id' ,
    'action'  => 'GET|POST' ,
    'effect'  => Effect::ALLOW ,
]);

Notes

  • Multiple actions can be specified using the | character.
  • For REST APIs, consider normalizing objects with wildcards (e.g., /documents/*) so that keyMatch2 in Casbin matches correctly.
  • The effect is used to resolve conflicts when multiple rules match: an allow can be overridden by a deny depending on your policy_effect.
Tags
category

Security / RBAC

author

Marc Alcaraz

since
1.0.2

Table of Contents

Constants

CONTEXT  = \xyz\oihana\schema\constants\Oihana::SCHEMA
The @context of the json-ld representation of the thing.
JSON_PRIORITY_KEYS  = [\org\schema\constants\Schema::AT_TYPE, \org\schema\constants\Schema::AT_CONTEXT, \org\schema\constants\Schema::_KEY, \org\schema\constants\Schema::_FROM, \org\schema\constants\Schema::_TO, \org\schema\constants\Schema::ID, \org\schema\constants\Schema::NAME, \org\schema\constants\Schema::URL, \org\schema\constants\Schema::CREATED, \org\schema\constants\Schema::MODIFIED]
Defines the priority order of keys when serializing the object to JSON-LD.

Properties

$_from  : string|null
The metadata to indicates the edge 'from' identifier.
$_id  : null|string
The metadata identifier of the item.
$_key  : null|string
The metadata unique key identifier of the thing.
$_rev  : null|string
The metadata revision value of the thing.
$_to  : string|null
The metadata to indicates the edge 'to' identifier.
$action  : string|null
The allowed action(s) for this permission.
$active  : bool|null
The active flag.
$additionalType  : array<string|int, mixed>|string|null|object
An additionalType for the item.
$alternateName  : string|object|array<string|int, mixed>|null
An alias for the item.
$created  : null|string
Date of creation of the resource.
$description  : string|object|array<string|int, mixed>|null
A short description of the item.
$disambiguatingDescription  : string|null
A sub property of description. A short description of the item used to disambiguate from other, similar items. Information from other properties (in particular, name) may be necessary for the description to be useful for disambiguation.
$domain  : string|null
The domain or namespace where this permission applies.
$effect  : string|null
The effect of this permission : 'allow' or 'deny'.
$hasPart  : string|Thing|array<string|int, Thing>|null
Indicates an item that this part of this item.
$id  : null|int|string
The unique identifier of the item.
$identifier  : string|null
The identifier of the item.
$image  : string|ImageObject|array<string|int, ImageObject|string>|null
The image reference of this resource.
$isPartOf  : string|Thing|array<string|int, Thing>|null
Indicates an item that this item is part of.
$license  : string|object|null
A legal document giving official permission to do something with the resource.
$mainEntityOfPage  : string|null
Indicates a page (or other CreativeWork) for which this thing is the main entity being described.
$modified  : null|string
Date on which the resource was changed.
$name  : int|string|null
The name of the item.
$object  : string|null
The resource object targeted by this permission.
$owner  : null|string|Thing
The owner of this Thing.
$potentialAction  : array<string|int, mixed>|Action|null
Indicates a potential Action, which describes an idealized action in which this thing would play an 'object' role.
$publisher  : string|array<string|int, string|Person|Organization>|Person|Organization|null
The publisher of the resource.
$sameAs  : string|array<string|int, mixed>|null
URL of a reference Web page that unambiguously indicates the item's identity.
$subject  : string|null
The subject (permission or user or role) to whom the permission applies.
$subjectOf  : null|string|array<string|int, mixed>|CreativeWork|Event
A CreativeWork or Event about this Thing.
$url  : int|string|null
URL of the item.
$_effect  : string
The effect of this permission: always 'allow' or 'deny'.
$atContext  : string|null
The JSON-LD `@context` value.
$atType  : string|null
The JSON-LD `@type` value.

Methods

__construct()  : mixed
Constructor to hydrate public properties from an array or stdClass.
jsonSerialize()  : array<string|int, mixed>
Serializes the current object into a JSON-LD array.
toArray()  : array{subject: string|null, domain: string|null, action: string|null}
Returns an array representation of the permission suitable for Casbin policies.
toPolicy()  : array<string|int, mixed>
Returns an array ready for Casbin policies: [sub, dom, obj, act, eft]
withAtContext()  : $this
Sets the internal JSON-LD `@context` attribute.
withAtType()  : $this
Sets the internal JSON-LD `@type` attribute.
withJSONLDMeta()  : $this
Initializes both JSON-LD metadata: `@type` and `@context`.

Constants

CONTEXT

The @context of the json-ld representation of the thing.

public mixed CONTEXT = \xyz\oihana\schema\constants\Oihana::SCHEMA

JSON_PRIORITY_KEYS

Defines the priority order of keys when serializing the object to JSON-LD.

public array<string|int, string> JSON_PRIORITY_KEYS = [\org\schema\constants\Schema::AT_TYPE, \org\schema\constants\Schema::AT_CONTEXT, \org\schema\constants\Schema::_KEY, \org\schema\constants\Schema::_FROM, \org\schema\constants\Schema::_TO, \org\schema\constants\Schema::ID, \org\schema\constants\Schema::NAME, \org\schema\constants\Schema::URL, \org\schema\constants\Schema::CREATED, \org\schema\constants\Schema::MODIFIED]

Keys listed here will always appear first in the serialized array, in the order specified. All remaining public properties will be sorted alphabetically after these priority keys.

This ensures that important JSON-LD metadata and system fields (like @type, @context, _key, id, url, created, modified, etc.) appear at the top of the output for consistency and readability.

Usage:

$orderedKeys = self::JSON_PRIORITY_KEYS;

Notes:

  • Can be overridden in a subclass by redefining the constant.
  • Late static binding (static::JSON_PRIORITY_KEYS) allows child classes to modify the serialization order.

List of JSON-LD keys in priority order.

Properties

$_from

The metadata to indicates the edge 'from' identifier.

public string|null $_from

$_id

The metadata identifier of the item.

public null|string $_id

$_key

The metadata unique key identifier of the thing.

public null|string $_key

$_rev

The metadata revision value of the thing.

public null|string $_rev

$_to

The metadata to indicates the edge 'to' identifier.

public string|null $_to

$action

The allowed action(s) for this permission.

public string|null $action

Examples:

  • Basic actions : GET
  • Multiple actions : GET|PATCH|POST

$active

The active flag.

public bool|null $active

$additionalType

An additionalType for the item.

public array<string|int, mixed>|string|null|object $additionalType

$alternateName

An alias for the item.

public string|object|array<string|int, mixed>|null $alternateName

$created

Date of creation of the resource.

public null|string $created

$description

A short description of the item.

public string|object|array<string|int, mixed>|null $description

$disambiguatingDescription

A sub property of description. A short description of the item used to disambiguate from other, similar items. Information from other properties (in particular, name) may be necessary for the description to be useful for disambiguation.

public string|null $disambiguatingDescription

$domain

The domain or namespace where this permission applies.

public string|null $domain

Examples:

  • API : api.my_domain.tld
  • Application : 'my-app'

$effect virtual

The effect of this permission : 'allow' or 'deny'.

public string|null $effect

Used to determine whether the access request is approved when multiple policy rules match.

Hooks
public string|null get public set

$hasPart

Indicates an item that this part of this item.

public string|Thing|array<string|int, Thing>|null $hasPart

$id

The unique identifier of the item.

public null|int|string $id

$identifier

The identifier of the item.

public string|null $identifier

$isPartOf

Indicates an item that this item is part of.

public string|Thing|array<string|int, Thing>|null $isPartOf

$license

A legal document giving official permission to do something with the resource.

public string|object|null $license

$mainEntityOfPage

Indicates a page (or other CreativeWork) for which this thing is the main entity being described.

public string|null $mainEntityOfPage

$modified

Date on which the resource was changed.

public null|string $modified

$name

The name of the item.

public int|string|null $name

$object

The resource object targeted by this permission.

public string|null $object

Examples:

  • /organizations
  • /documents/:id

$owner

The owner of this Thing.

public null|string|Thing $owner

Represents any entity (person, organization, system, or other object) that can be considered the possessor of this Thing.

$potentialAction

Indicates a potential Action, which describes an idealized action in which this thing would play an 'object' role.

public array<string|int, mixed>|Action|null $potentialAction

$sameAs

URL of a reference Web page that unambiguously indicates the item's identity.

public string|array<string|int, mixed>|null $sameAs

E.g. the URL of the item's Wikipedia page, Wikidata entry, or official website.

$subject

The subject (permission or user or role) to whom the permission applies.

public string|null $subject

Examples:

  • Permission : perm:organizations:read
  • Role : role:superadmin
  • User : user:123

$subjectOf

A CreativeWork or Event about this Thing.

public null|string|array<string|int, mixed>|CreativeWork|Event $subjectOf

$url

URL of the item.

public int|string|null $url

$_effect

The effect of this permission: always 'allow' or 'deny'.

private string $_effect = \xyz\oihana\schema\constants\Effect::ALLOW

$atContext

The JSON-LD `@context` value.

private string|null $atContext = null

Default is https://schema.org.

$atType

The JSON-LD `@type` value.

private string|null $atType = null

This can be manually set or automatically inferred from the class name.

Methods

__construct()

Constructor to hydrate public properties from an array or stdClass.

public __construct([array<string|int, mixed>|object|null $init = null ]) : mixed

This allows objects to be quickly populated with associative data without manually setting each property.

Parameters
$init : array<string|int, mixed>|object|null = null

A data array or object used to initialize the instance. Keys must match public property names.

Tags
throws
ReflectionException
example 
use org\schema\Person;
use org\schema\constants\Prop;

$person = new Person
([
    Prop::NAME => 'Jane Doe',
    Prop::URL  => 'https://example.com/janedoe'
]);

echo $person->name; // Outputs: Jane Doe

jsonSerialize()

Serializes the current object into a JSON-LD array.

public jsonSerialize() : array<string|int, mixed>

Includes public properties, the JSON-LD @context and @type. Null values are automatically removed.

Tags
throws
ReflectionException

If reflection fails when accessing properties.

example 
use org\schema\Person;
use org\schema\constants\Prop;

$person = new Person
([
    Prop::NAME => 'John Smith',
    Prop::ID   => 'jsmith-001'
]);

echo json_encode($person, JSON_PRETTY_PRINT);

Output:

{
   "@type": "Person",
   "@context": "https://schema.org",
   "id": "jsmith-001",
   "name": "John Smith"
}
Return values
array<string|int, mixed>

JSON-LD representation of the object.

toArray()

Returns an array representation of the permission suitable for Casbin policies.

public toArray() : array{subject: string|null, domain: string|null, action: string|null}
Return values
array{subject: string|null, domain: string|null, action: string|null}

toPolicy()

Returns an array ready for Casbin policies: [sub, dom, obj, act, eft]

public toPolicy() : array<string|int, mixed>
Return values
array<string|int, mixed>

withAtContext()

Sets the internal JSON-LD `@context` attribute.

public withAtContext(string $context) : $this

Useful if you need a custom JSON-LD context.

Parameters
$context : string

Optional JSON-LD context.

Return values
$this

withAtType()

Sets the internal JSON-LD `@type` attribute.

public withAtType(string $type) : $this

Allows overriding the default type inferred from the class.

Parameters
$type : string

Optional JSON-LD type

Return values
$this

withJSONLDMeta()

Initializes both JSON-LD metadata: `@type` and `@context`.

public withJSONLDMeta([string|null $atType = null ][, string|null $atContext = null ]) : $this

Can be called from constructor or later to override default values.

Parameters
$atType : string|null = null

Optional JSON-LD type

$atContext : string|null = null

Optional JSON-LD context

Return values
$this 

        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results