Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Security Acl
Assessments

Security Acl Laravel Package

symfony/security-acl

Symfony Security ACL adds Access Control Lists to manage fine‑grained, object‑level permissions beyond roles. It supports per‑object and per‑field authorization with configurable permission masks and voters, integrating with Symfony’s security system.

View on GitHub
Deep Wiki
Context7

Getting Started

Start by installing the package via Composer (composer require symfony/security-acl) and enabling it in your kernel (via SecurityBundle in Symfony 5.4+, or manually in older versions). The first real-world use case is securing domain objects—e.g., enforcing that only the author of a BlogPost can edit it. Define ACLs programmatically using AclProviderInterface and ObjectIdentity, or integrate with Doctrine via the symfony/security-acl-bundle (if available for your Symfony version). Your first test: grant a user MASK_EDIT on one specific post—and verify they cannot edit others.

Implementation Patterns

  • Domain-Driven ACLs: Embed ACL handling in your domain services (e.g., PostPermissionService) rather than controllers—keep authorization logic close to the entity.
  • Batch ACL creation: For scalability, pre-create class-level ACLs (e.g., for App\Entity\Post) to define default permissions (e.g., ROLE_EDITOR can edit all posts), then optionally override with object-specific ACEs.
  • ** Voters over direct ACL checks**: Prefer using an ACL-aware voter (AclVoter) and call $this->is_granted('EDIT', $post) in controllers/services instead of manually interacting with AclInterface.
  • Lazy ACL retrieval: Use AclProviderInterface::getAcl() with caching (via Symfony’s cache component) to avoid repeated DB hits—implement a custom AclProvider if needed.
  • Custom masks: Define domain-specific permission masks (e.g., MASK_VIEW, MASK_COMMENT, MASK_DELETE) using bitwise OR/AND in your voter logic.

Gotchas and Tips

  • Performance penalty: ACL queries are expensive by default—always profile with DEBUG_ACL=true and use query caching. Avoid per-object ACLs for high-volume data (e.g., millions of posts); prefer class-level ACLs + ownership flags.
  • Ownership is not automatic: ACLs don’t track ownership—designate owner via a owner field on your entity and wire it to UserSecurityIdentity manually in your ACL setup.
  • TX boundary pitfalls: If creating ACLs within a Doctrine transaction, ensure your ACL provider uses the same connection/manager or face AclEntryNotFoundException due to uncommitted ACL tables.
  • Cache invalidation: Clear ACL caches (e.g., cache:clear --env=prod) after ACL changes—symfony/security-acl relies heavily on in-memory caching unless configured otherwise.
  • Legacy but stable: Though not actively developed (last release 2026), it’s battle-tested in Symfony 2.x–5.x apps. For new Symfony 6+ projects, consider migrating to symfony/permission (a modern, simpler alternative), but this package remains viable for maintenance.
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
davejamesmiller/laravel-breadcrumbs
artisanry/parsedown
christhompsontldr/phpsdk
enqueue/dsn
bunny/bunny
enqueue/test
enqueue/null
enqueue/amqp-tools
milesj/emojibase
bower-asset/punycode
bower-asset/inputmask
bower-asset/jquery
bower-asset/yii2-pjax
laravel/nova
spatie/laravel-mailcoach
spatie/laravel-superseeder
laravel/liferaft
nst/json-test-suite
danielmiessler/sec-lists
jackalope/jackalope-transport