API Services AuthorizationServiceInterface - evansims/openfga-php GitHub Wiki
Service interface for authorization operations. This interface defines methods for all authorization operations including permission checks, relationship expansions, and object/user listing. It provides a focused API for authorization decisions separate from store and model management operations.
Table of Contents
OpenFGA\Services
- AuthorizationService (implementation)
public function batchCheck(
StoreInterface|string $store,
AuthorizationModelInterface|string $model,
BatchCheckItemsInterface $checks,
): FailureInterface|SuccessInterfacePerforms multiple authorization checks in a single batch request. This method allows checking multiple user-object relationships simultaneously for better performance when multiple authorization decisions are needed. Each check in the batch has a correlation ID to map results back to the original requests.
| Name | Type | Description |
|---|---|---|
$store |
StoreInterface | string
|
The store to check against |
$model |
AuthorizationModelInterface | string
|
The authorization model to use |
$checks |
BatchCheckItemsInterface |
The batch check items with correlation IDs |
FailureInterface | SuccessInterface — Success with BatchCheckResponse, or Failure with error details
public function check(
StoreInterface|string $store,
AuthorizationModelInterface|string $model,
TupleKeyInterface $tupleKey,
bool|null $trace = NULL,
object|null $context = NULL,
TupleKeysInterface|null $contextualTuples = NULL,
Consistency|null $consistency = NULL,
): FailureInterface|SuccessInterfaceChecks if a user has a specific relationship with an object. This method verifies whether the specified user has the given relationship (like 'reader', 'writer', or 'owner') with the target object. It's the core operation for making authorization decisions in your application.
| Name | Type | Description |
|---|---|---|
$store |
StoreInterface | string
|
The store to check against |
$model |
AuthorizationModelInterface | string
|
The authorization model to use |
$tupleKey |
TupleKeyInterface |
The relationship to check |
$trace |
bool | null
|
Whether to include a trace in the response |
$context |
object | null
|
Additional context for the check |
$contextualTuples |
TupleKeysInterface | null
|
Additional tuples for contextual evaluation |
$consistency |
Consistency | null
|
Override the default consistency level |
FailureInterface | SuccessInterface — Success with CheckResponse, or Failure with error details
public function expand(
StoreInterface|string $store,
TupleKeyInterface $tupleKey,
AuthorizationModelInterface|string|null $model = NULL,
TupleKeysInterface|null $contextualTuples = NULL,
Consistency|null $consistency = NULL,
): FailureInterface|SuccessInterfaceExpands a relationship tuple to show all users that have the relationship. This method recursively expands a relationship to reveal all users who have access through direct assignment, group membership, or computed relationships. It's useful for understanding why a user has a particular permission.
| Name | Type | Description |
|---|---|---|
$store |
StoreInterface | string
|
The store containing the tuple |
$tupleKey |
TupleKeyInterface |
The tuple to expand |
$model |
AuthorizationModelInterface | string | null
|
The authorization model to use |
$contextualTuples |
TupleKeysInterface | null
|
Additional tuples for contextual evaluation |
$consistency |
Consistency | null
|
Override the default consistency level |
FailureInterface | SuccessInterface — Success with ExpandResponse, or Failure with error details
public function listObjects(
StoreInterface|string $store,
AuthorizationModelInterface|string $model,
string $type,
string $relation,
string $user,
object|null $context = NULL,
TupleKeysInterface|null $contextualTuples = NULL,
Consistency|null $consistency = NULL,
): FailureInterface|SuccessInterfaceLists objects that have a specific relationship with a user. This method finds all objects of a given type that the specified user has a particular relationship with. It's useful for building filtered lists based on user permissions (for example "show all documents the user can read").
| Name | Type | Description |
|---|---|---|
$store |
StoreInterface | string
|
The store to query |
$model |
AuthorizationModelInterface | string
|
The authorization model to use |
$type |
string |
The type of objects to list |
$relation |
string |
The relationship to check |
$user |
string |
The user to check relationships for |
$context |
object | null
|
Additional context for evaluation |
$contextualTuples |
TupleKeysInterface | null
|
Additional tuples for contextual evaluation |
$consistency |
Consistency | null
|
Override the default consistency level |
FailureInterface | SuccessInterface — Success with ListObjectsResponse, or Failure with error details
public function listUsers(
StoreInterface|string $store,
AuthorizationModelInterface|string $model,
string $object,
string $relation,
UserTypeFiltersInterface $userFilters,
object|null $context = NULL,
TupleKeysInterface|null $contextualTuples = NULL,
Consistency|null $consistency = NULL,
): FailureInterface|SuccessInterfaceLists users that have a specific relationship with an object. This method finds all users (and optionally groups) that have a particular relationship with a specific object. It's useful for auditing access or building user interfaces that show who has permissions.
| Name | Type | Description |
|---|---|---|
$store |
StoreInterface | string
|
The store to query |
$model |
AuthorizationModelInterface | string
|
The authorization model to use |
$object |
string |
The object to check relationships for |
$relation |
string |
The relationship to check |
$userFilters |
UserTypeFiltersInterface |
Filters for user types to include |
$context |
object | null
|
Additional context for evaluation |
$contextualTuples |
TupleKeysInterface | null
|
Additional tuples for contextual evaluation |
$consistency |
Consistency | null
|
Override the default consistency level |
FailureInterface | SuccessInterface — Success with ListUsersResponse, or Failure with error details
public function streamedListObjects(
StoreInterface|string $store,
AuthorizationModelInterface|string $model,
string $type,
string $relation,
string $user,
object|null $context = NULL,
TupleKeysInterface|null $contextualTuples = NULL,
Consistency|null $consistency = NULL,
): FailureInterface|SuccessInterfaceLists objects that a user has a specific relationship with using streaming. This method finds all objects of a given type where the specified user has the requested relationship, returning results as a stream for efficient processing of large datasets. The streaming approach is memory-efficient for large result sets.
| Name | Type | Description |
|---|---|---|
$store |
StoreInterface | string
|
The store to query |
$model |
AuthorizationModelInterface | string
|
The authorization model to use |
$type |
string |
The object type to filter by |
$relation |
string |
The relationship to check |
$user |
string |
The user to check relationships for |
$context |
object | null
|
Additional context for evaluation |
$contextualTuples |
TupleKeysInterface | null
|
Additional tuples for contextual evaluation |
$consistency |
Consistency | null
|
Override the default consistency level |
FailureInterface | SuccessInterface — Success with Generator<StreamedListObjectsResponse>, or Failure with error details