Nymph user and group management with access controls.
The PHP implementation of Nymph/Tilmeld has been deprecated. It will no longer have any new features added. Instead, a new version of Nymph running on Node.js, written entirely in TypeScript will replace the PHP implementation. You can find it over at the Nymph.js repo.
The fastest way to start building a Nymph app is with the Nymph App Template.
composer require sciactive/tilmeld-server
Tilmeld uses Nymph entities to store users and groups. It allows users to register and log in using the Nymph REST endpoint.
Tilmeld methods are available on the Tilmeld\Tilmeld
class. (They are all static methods.)
User accounts can be created either in the setup app or by registering through the register
function in PHP or the $register
function in JS. There is a TilmeldLogin component in the tilmeld-components
package that will build you a login/register form. The first user account registered in Tilmeld will be granted admin priveleges with the system/admin
ability.
Users are available as the Tilmeld\Entities\User
class.
Groups are available as the Tilmeld\Entities\Group
class.
Users can have only one primary group. It becomes the group of any entities they create. By default, Tilmeld will create a new primary group for every user.
Secondary groups are used to grant users additional abilities or give access to entities.
Tilmeld filters all calls to Nymph to allow users to only see and modify the entities they have access to. When a user creates an entity, their user becomes the user
property of that entity, and their primary group becomes the group
property. By default, entites will allow read/write/delete access to their user, read access to their group, and no access to other users.
You can use these constants for access control:
Tilmeld::FULL_ACCESS
- Read/Edit/Save/Change AC/Delete access.Tilmeld::WRITE_ACCESS
- Read/Edit/Save access.Tilmeld::READ_ACCESS
- Read access.Tilmeld::NO_ACCESS
- No access.
The following properties are used on entities to control who has access:
$entity->user
- TheUser
who owns the entity.$entity->group
- TheGroup
who owns the entity.$entity->acUser
- What access control level the owner user has. Defaults toTilmeld::FULL_ACCESS
.$entity->acGroup
- What access control level the owner group has. Defaults toTilmeld::READ_ACCESS
.$entity->acOther
- What access control level everyone else has. Defaults toTilmeld::NO_ACCESS
.$entity->acRead
- An array of users/groups who are grantedTilmeld::READ_ACCESS
.$entity->acWrite
- An array of users/groups who are grantedTilmeld::WRITE_ACCESS
.$entity->acFull
- An array of users/groups who are grantedTilmeld::FULL_ACCESS
.
Abilities can be granted to users and/or their groups. When you call gatekeeper
, it will check for the given ability.
The system/admin
ability is special, and will cause gatekeeper
to always return true for users with this ability. It will also let the user see, modify, and delete all entities, as if they had Tilmeld::FULL_ACCESS
.
The tilmeld/admin
ability allows the user to see the setup app and modify all users/groups except ones with the system/admin
ability. Changes to a user's email by a Tilmeld admin do not require verification. A Tilmeld admin can't grant system/admin
to a user or group, but they can assign groups, so don't grant a group the system/admin
ability.
Tilmeld, by default, is configured to generate a primary group for every new user. When the user is changed, that information is propagated to the group.
See the full API docs at https://tilmeld.org/api/server/latest