Awesome-claude-code create-access-control

Generates Access Control components for PHP 8.4. Creates RBAC/ABAC components with PermissionInterface, RoleInterface, VoterInterface, AccessDecisionManager. Includes unit tests.

install

source · Clone the upstream repo

git clone https://github.com/dykyi-roman/awesome-claude-code

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/dykyi-roman/awesome-claude-code "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/create-access-control" ~/.claude/skills/dykyi-roman-awesome-claude-code-create-access-control && rm -rf "$T"

manifest: skills/create-access-control/SKILL.md

source content

Access Control Generator

Creates access control infrastructure for RBAC/ABAC authorization patterns.

When to Use

Scenario	Example
Role-based access	Admin, editor, viewer roles
Resource ownership	Users can only edit own resources
Attribute-based rules	Access based on resource state or user attributes
Complex authorization	Multiple voters with different strategies

Component Characteristics

Permission

Enum defining available permissions
Hierarchical: parent permissions include children
Type-safe, no magic strings

Role

Value Object encapsulating role with permissions
Supports role hierarchy (admin inherits editor permissions)
Immutable, self-validating

VoterInterface

Symfony-style voter contract
Returns GRANT, DENY, or ABSTAIN
Single responsibility: one voter per concern

AccessDecisionManager

Aggregates multiple voters
Strategies: affirmative (one grant), unanimous (all grant), consensus (majority grants)
Configurable per security context

ResourceOwnerVoter

Checks if authenticated user owns the resource
Works with any entity implementing OwnableInterface
Returns ABSTAIN for non-ownable resources

RoleVoter

Checks if user has required role for the permission
Supports role hierarchy traversal
Returns ABSTAIN when permission not role-based

Generation Process

Step 1: Generate Core Components

Path:

src/Infrastructure/Security/AccessControl/

```
Permission.php
```
— Permission enum
```
Role.php
```
— Role value object with hierarchy
```
AccessSubject.php
```
— Value object wrapping the authenticated user context

Step 2: Generate Voter System

Path:

src/Infrastructure/Security/AccessControl/

```
VoterInterface.php
```
— Voter contract with GRANT/DENY/ABSTAIN
```
Vote.php
```
— Vote result enum
```
AccessDecisionManager.php
```
— Voter aggregation with strategies
```
DecisionStrategy.php
```
— Strategy enum (affirmative, unanimous, consensus)

Step 3: Generate Concrete Voters

Path:

src/Infrastructure/Security/AccessControl/Voter/

```
RoleVoter.php
```
— Role hierarchy voter
```
ResourceOwnerVoter.php
```
— Resource ownership voter

Step 4: Generate Tests

```
RoleTest.php
```
— Role hierarchy tests
```
AccessDecisionManagerTest.php
```
— Strategy decision tests
```
RoleVoterTest.php
```
— Role voter tests

File Placement

Component	Path
Core Classes	`src/Infrastructure/Security/AccessControl/`
Voters	`src/Infrastructure/Security/AccessControl/Voter/`
Unit Tests	`tests/Unit/Infrastructure/Security/AccessControl/`

Naming Conventions

Component	Pattern	Example
Permission	`Permission`	`Permission::Edit`
Role	`Role`	`Role`
Voter Interface	`VoterInterface`	`VoterInterface`
Concrete Voter	`{Context}Voter`	`RoleVoter`
Decision Manager	`AccessDecisionManager`	`AccessDecisionManager`
Strategy Enum	`DecisionStrategy`	`DecisionStrategy::Affirmative`
Vote Enum	`Vote`	`Vote::Grant`
Test	`{ClassName}Test`	`AccessDecisionManagerTest`

Quick Template Reference

Permission

enum Permission: string
{
    case View = 'view';
    case Create = 'create';
    case Edit = 'edit';
    case Delete = 'delete';
    case Manage = 'manage';
}

VoterInterface

interface VoterInterface
{
    public function vote(AccessSubject $subject, Permission $permission, mixed $resource = null): Vote;
}

AccessDecisionManager

final readonly class AccessDecisionManager
{
    /** @param list<VoterInterface> $voters */
    public function __construct(
        private array $voters,
        private DecisionStrategy $strategy = DecisionStrategy::Affirmative
    ) {}

    public function isGranted(AccessSubject $subject, Permission $permission, mixed $resource = null): bool;
}

Usage Example

$manager = new AccessDecisionManager(
    voters: [new RoleVoter(), new ResourceOwnerVoter()],
    strategy: DecisionStrategy::Affirmative
);

$subject = new AccessSubject(userId: $user->id(), roles: $user->roles());

if ($manager->isGranted($subject, Permission::Edit, $article)) {
    $article->update($data);
}

Decision Strategies

Affirmative: ANY voter grants → GRANTED   (default, most permissive)
Consensus:   MAJORITY grants → GRANTED    (balanced)
Unanimous:   ALL voters grant → GRANTED   (most restrictive)

Anti-patterns to Avoid

Anti-pattern	Problem	Solution
String permissions	Typos, no IDE support	Use Permission enum
Inline auth checks	Scattered, unmaintainable	Centralize in voters
God voter	Single voter with all logic	One voter per concern
No ABSTAIN support	Voter must decide everything	ABSTAIN when not applicable
Flat roles	No inheritance, duplication	Role hierarchy
Missing resource check	Only role-based, no ownership	Add ResourceOwnerVoter

References

For complete PHP templates and examples, see:

```
references/templates.md
```
— Permission, Role, VoterInterface, AccessDecisionManager, Voter templates
```
references/examples.md
```
— Authorization examples and tests