3.2.1

Fixes

• RoleSourceService::pruneExternalRoles(): empty external-source result now skips the prune instead of wiping all shadow rows. Previously a transient empty $expectedAliases (a callable that swallowed an exception, a Configure path that did not resolve yet during bootstrap, an upstream service blip) on any read path through getRoles() would delete every row in tinyauth_roles and cascade-destroy the FK'd permission rows. The new behavior treats empty as "skip this request"; operators that genuinely want to clear shadow rows do so via the table directly. Regression test added.

Improvements

• User-facing strings in src/ and templates/ now use the plugin-specific tinyauth_backend i18n domain (__d('tinyauth_backend', ...), __dn('tinyauth_backend', ...)) instead of leaking into the host app's default domain. New resources/locales/tinyauth_backend.pot (generated via cake i18n extract) ships as the canonical translation template. Note for translators: existing host-app translations of these strings under the default domain will no longer apply — relocate them into the tinyauth_backend domain.

Full Changelog: 3.2.0...3.2.1

3.2.0

Important

Action required when upgrading: Configure TinyAuthBackend.adminAccess as a Closure that returns literal true for permitted requests. Without it the admin UI responds with HTTP 403 — regardless of debug mode. Existing installs that relied on the previous debug=true default will start 403'ing until a Closure is set (one line in config/bootstrap.php).

Security

• Default-deny admin access; deprecate editorCheck in favor of adminAccess (#29)
• The TinyAuthBackend admin UI manages authorization rules, so accidental exposure is RCE-equivalent. The previous default installed an editorCheck that allowed all access when debug=true, leaving the admin wide open in any dev/staging environment that happened to ship with debug on.
• Switches to a strict default-deny model, mirroring the captcha/scheduler pattern: anything other than a Closure returning literal true (unset, non-Closure, returning false, returning a truthy non-bool, or throwing) yields a 403, regardless of debug mode.
• config/bootstrap.php no longer ships a default Closure — "nothing set" now genuinely means "denied".
• Precedence when both are set: adminAccess wins, editorCheck is ignored.

Full Changelog: 3.1.0...3.2.0

3.1.0

Fixes

• Resource sync now respects the per-plugin exclude configuration; previously excluded plugins still had their entities scanned into the resource tables.

Improvements

• Add bin/cake tiny_auth_backend sync CLI command for non-interactive controller and resource synchronization (#23). Equivalent to clicking Sync in the admin UI, suitable for deploy hooks and CI.
• Admin UI now runs under strict Content-Security-Policy out of the box — no unsafe-eval, no unsafe-inline. Alpine.js is replaced with native <details>/<summary> for the controller tree and a small data-attribute controller in tinyauth.js for dropdowns and dark-mode toggling. The Tailwind Play CDN is replaced with a pre-compiled webroot/css/tailwind.css (regenerate via composer assets when adding new utility classes — see docs/Assets.md). Remaining inline style attributes are converted to CSS classes or JS-driven el.style mutation. The included CspComplianceTest guards against regressions. (#24, #25, #27)

Full Changelog: 3.0.0...3.1.0

3.0.0

A complete rewrite with a modern, normalized database schema, reactive admin UI, and first-class support for the cakephp/authorization plugin.

Breaking Changes

• Database schema completely redesigned — legacy tables acl_rules and allow_rules are dropped automatically by the migration
• No automatic data migration — existing permissions must be re-configured via the new admin UI or re-imported from INI files (bin/cake tiny_auth_backend import allow / acl)
• Minimum PHP 8.2 required
• CakePHP 5.1 required

New Features

Normalized Database Schema

8 properly normalized tables replacing the previous 2-table structure:

Table	Purpose
tinyauth_roles	User roles with hierarchy support
tinyauth_controllers	Discovered controllers (plugin/prefix/name)
tinyauth_actions	Controller actions with public flag
tinyauth_acl_permissions	Role-to-action permission mappings (with optional rule descriptions)
tinyauth_resources	Entity resources for resource-based auth
tinyauth_resource_abilities	Resource abilities (view, edit, delete, etc.)
tinyauth_scopes	Reusable permission conditions (e.g., "own records only")
tinyauth_resource_acl	Resource-to-role permission mappings with scope support

Modern Admin UI

• Tree+Matrix UI: Controller tree navigation with permission matrix view
• HTMX+Alpine.js: Reactive updates without page reloads
• Standalone Layout: Self-contained with Tailwind CSS, dark/light theme support
• Drag-and-drop: Role ordering with parent/child hierarchy
• Inherited permissions rendered in a distinct state so you can tell at a glance which cells come from a direct rule vs. role hierarchy
• Optional rule descriptions editable from the toggle endpoint and surfaced as cell tooltips, so rules can document their own rationale ("legacy carve-out", "own-records only") inline

Role Hierarchy

• Define parent/child relationships between roles
• Higher roles inherit lower-role permissions
• Visual hierarchy management with drag-and-drop ordering

Resource-Based Permissions

• Entity-level authorization (not just controller actions)
• Define abilities per resource (view, edit, delete, publish, etc.)
• Scope support for conditional access (e.g., "own records", "same team")

Controller & Resource Sync

• Auto-discovery of controllers and actions from your application
• Auto-discovery of entity resources
• One-click sync to keep permissions in sync with code changes

Authorization Integration

• TinyAuthPolicy for seamless cakephp/authorization integration
• TinyAuthService for programmatic permission checks
• Scope-aware queries for filtered results
• Composite adapters (CompositeAllowAdapter / CompositeAclAdapter) let you keep classic auth_allow.ini / auth_acl.ini rules and layer DB-backed rules on top, served by one adapter slot. The main gradual-adoption path for existing apps.
• Optional TinyAuthBackend.editorCheck hook — configurable callable that gates /admin/auth/* at the plugin level, so you can reject authenticated-but-not-privileged users without touching your host middleware.

Services

• TinyAuthService — Central permission checking
• HierarchyService — Role hierarchy traversal
• ControllerSyncService — Controller/action discovery
• ResourceSyncService — Resource/ability discovery
• ImportExportService — JSON/CSV export and legacy INI import
• FeatureService — Enable/disable features
• RoleSourceService — Flexible role data sources (table, Configure path, array, callable)

Screenshots

Migration Guide

1. Update composer

composer require dereuromark/cakephp-tinyauth-backend:^3.0

2. Run migrations

bin/cake migrations migrate -p TinyAuthBackend

This will:

• Drop legacy acl_rules and allow_rules tables
• Create the 8 new normalized tables

3. Initialize roles

bin/cake tiny_auth_backend init admin

Or configure in config/roles.php.

4. Re-import permissions (optional)

If you have existing INI files:

bin/cake tiny_auth_backend import allow
bin/cake tiny_auth_backend import acl

5. Sync controllers

Navigate to /admin/auth/sync/controllers and click "Sync All" to discover your application's controllers.

6. Configure permissions

Use the new admin UI at /admin/auth/ to set up your permission matrix.

Demo Application

See the full demo at: https://github.com/dereuromark/cakephp-tinyauth-demo

Full Changelog: 2.1.1...3.0.0

2.1.1

Fixes

• Fix PHP 8.4 property compatibility in ImportCommand and InitCommand (#11)

Full Changelog: 2.1.0...2.1.1

2.1.0

Improvements

• Removed deprecations

Full Changelog: 2.0.1...2.1.0

2.0.1

Fixes

• Fixed up files bundled in release using gitattributes file.

Full Changelog: 2.0.0...2.0.1

2.0.0

CakePHP 5 compatible release

Enjoy!

1.1.0

Improvements

Removed deprecations

1.0.0

Stable release

CakePHP 4.2+ and PHP 7.3+