README.md

TinyAuth Backend

TinyAuthBackend gives you a database-backed admin UI for permissions and roles.

The package supports four practical usage strategies, arranged as a ladder you can climb as your project's needs grow:

1. Adapter-only TinyAuth: keep classic TinyAuth allow + acl behavior, but store those rules in the database instead of INI files.
2. Full TinyAuthBackend: use the admin UI plus resources, scopes, role hierarchy, and TinyAuthPolicy/TinyAuthService for entity authorization.
3. Backend UI + native CakePHP auth: keep CakePHP Authentication/Authorization as your runtime layer and use this package mainly as a DB-backed permission management UI.
4. External role source: drive role aliases from a JWT claim, an LDAP group, an SSO gateway, or any other source outside the plugin, while keeping ACL/resource assignments in the backend.

Admin URL

The plugin mounts under:

/admin/auth

Common sections:

URL	Purpose
/admin/auth/allow	Public action management
/admin/auth/acl	Controller/action ACL matrix
/admin/auth/roles	Roles and hierarchy
/admin/auth/resources	Resource abilities
/admin/auth/scopes	Field-based scopes
/admin/auth/sync/controllers	Scan controllers/actions into DB
/admin/auth/sync/resources	Scan entities/resources into DB

Admin Access

The plugin expects the host app to decide who may manage /admin/auth. It fails closed by default: regardless of debug mode, every admin request is rejected with 403 until you configure a gate. Set TinyAuthBackend.adminAccess to a Closure that returns literal true for permitted callers:

use Cake\Core\Configure;
use Cake\Http\ServerRequest;

Configure::write(
    'TinyAuthBackend.adminAccess',
    function (ServerRequest $request): bool {
        $identity = $request->getAttribute('identity');

        return $identity !== null
            && (int)($identity->get('role_id') ?? 0) === 3;
    },
);

The legacy TinyAuthBackend.editorCheck callable is still honored when adminAccess is unset (with a deprecation warning) — see Authentication.md for the migration steps.

Which Guide Should I Read?

• Strategies Overview
• Adapter-Only Strategy
• Full TinyAuthBackend Strategy
• Native CakePHP Auth Strategy
• External Role Source Strategy
• Authorization Integration
• Resource Permissions
• Roles and Hierarchy
• Scopes
• Services API
• Frontend Assets (for contributors)

Feature Flags

You can force-enable or disable parts of the backend with TinyAuthBackend.features:

'TinyAuthBackend' => [
    'features' => [
        'allow' => true,
        'acl' => true,
        'roles' => true,
        'resources' => false,
        'scopes' => false,
    ],
],

This is useful when you only want the classic TinyAuth adapter functionality exposed in the UI.