⚠ This page is served via a proxy. Original site: https://github.com
This service does not collect credentials or authentication data.
Skip to content

The sections related to Yiisoft\User\CurrentUser is refactored #328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
samdark merged 5 commits into from
Jan 13, 2026
Merged

The sections related to Yiisoft\User\CurrentUser is refactored #328

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
985452f
The sections related to Yiisoft\User\CurrentUser is refactored
klsoft-web Jan 13, 2026
df704a4
Update src/guide/security/authorization.md
klsoft-web Jan 13, 2026
1b1ded9
Update src/guide/security/authorization.md
klsoft-web Jan 13, 2026
6922582
Update src/guide/security/authorization.md
klsoft-web Jan 13, 2026
68d7ad2
Update authorization.md
klsoft-web Jan 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 43 additions & 36 deletions src/guide/security/authorization.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,43 +4,47 @@ Authorization is the process of verifying that a user has enough permission to d

## Checking for permission <span id="checking-for-permission"></span>

You can check if a user has certain permissions by using `\Yiisoft\User\User` service:
You can check if a user has certain permissions by using `\Yiisoft\User\CurrentUser` service:

```php
namespace App\Blog\Post;

use Yiisoft\Router\CurrentRoute;
use Yiisoft\User\User;
use Yiisoft\User\CurrentUser;
use Yiisoft\Router\HydratorAttribute\RouteArgument;
use Psr\Http\Message\ResponseInterface;

final readonly class PostController
{
public function actionEdit(CurrentRoute $route, User $user, PostRepository $postRepository)
public function __construct(
private PostRepositoryInterface $postRepository,
private CurrentUser $user
)
{
$postId = $route->getArgument('id');
if ($postId === null) {
// respond with 404
}

$post = $postRepository->findByPK($postId);
}

public function update(#[RouteArgument('id')] int $id): ResponseInterface
{
$post = $this->postRepository->findByPK($id);
if ($post === null) {
// respond with 404
// respond with 404
}

if (!$this->canEditPost($user, $post)) {
// respond with 403
if (!$this->canCurrentUserUpdatePost($post)) {
// respond with 403
}
// continue with editing a post

// continue with updating the post
}
private function canEditPost(User $user, Post $post): bool

private function canCurrentUserUpdatePost(Post $post): bool
{
return $post->getAuthorId() === $user->getId() || $user->can('updatePost');
return $post->getAuthorId() === $this->user->getId() &&
$this->user->can('updatePost');
}
}
```

Behind the scenes, `Yiisoft\Yii\Web\User\User::can()` method calls `\Yiisoft\Access\AccessCheckerInterface::userHasPermission()`
Behind the scenes, `Yiisoft\User\CurrentUser::can()` method calls `Yiisoft\Access\AccessCheckerInterface::userHasPermission()`
so you should provide an implementation in dependency container in order for it to work.

## Role-based access control (RBAC) <span id="rbac"></span>
Expand Down Expand Up @@ -365,33 +369,36 @@ The check is done similarly to how it was done in the first section of this guid
```php
namespace App\Blog\Post;

use Psr\Http\Message\ServerRequestInterface;
use Yiisoft\User\User;
use Yiisoft\User\CurrentUser;
use Yiisoft\Router\HydratorAttribute\RouteArgument;
use Psr\Http\Message\ResponseInterface;

final readonly class PostController
{
public function actionEdit(ServerRequestInterface $request, User $user, PostRepository $postRepository)
public function __construct(
private PostRepositoryInterface $postRepository,
private CurrentUser $user
)
{
$postId = $request->getAttribute('id');
if ($postId === null) {
// respond with 404
}

$post = $postRepository->findByPK($postId);
}

public function update(#[RouteArgument('id')] int $id): ResponseInterface
{
$post = $this->postRepository->findByPK($id);
if ($post === null) {
// respond with 404
// respond with 404
}

if (!$this->canEditPost($user, $post)) {
// respond with 403
if (!$this->canCurrentUserUpdatePost($post)) {
// respond with 403
}
// continue with editing a post

// continue with updating the post
}
private function canEditPost(User $user, Post $post): bool

private function canCurrentUserUpdatePost(Post $post): bool
{
return $user->can('updatePost', ['post' => $post]);
return $this->user->can('updatePost', ['post' => $post]);
}
}
```
Expand Down