search

ZF-Commons / zfc-rbac

Role-based access control module to provide additional features on top of Zend\Permissions\Rbac
BSD 3-Clause "New" or "Revised" License
181 stars 111 forks source link

RouteGuard rule vs RoleProvider permissions #193

Closed ghost closed 10 years ago

ghost commented 10 years ago

I have a question regarding usage of RouteGuard rules and RoleProvider permissions. What is the use of RoleProvider permissions if i have RoutGuard rules set? Are they ever being used? I don see any change if i have RoleProvider permissionsor not. Am i doing something wrong? Here is a sample of my zfc_rbac config:

'zfc_rbac' => [

    /**
     * Set the guards
     */
    'guards' => [
        'ZfcRbac\Guard\RouteGuard' => [
            'home'              => ['*'],
            'post/read'        => ['guest'],
            'post/add'         => ['user'],
            'post/edit'         => ['admin'],
        ]
    ],

    'protection_policy' => \ZfcRbac\Guard\GuardInterface::POLICY_DENY,

    /**
     * Configuration for role provider
     *
     */
    'role_provider' => [
        'ZfcRbac\Role\InMemoryRoleProvider' => [
            'admin' => [
                'children'       => ['user'],
                'permissions' => ['post.edit']
            ],
            'user'  => [
                'children'       => ['guest'],
                'permissions' => ['post.add']
            ],
            'guest' => [
                'permissions' => ['post.read']
            ]
        ]
    ],
]
danizord commented 10 years ago

See a quote from Guards docs:

Guards are not really aware of permissions (it does not make any sense) but rather only think about "roles". For instance, you may want to refuse access to each routes that begin by "admin/*" to all users that do not have the "admin" role. Albeit simple to use, guards should not be the only protection in your application, and you should always also protect your service. The reason is that your business logic should be handled by your service. Protecting a given route or controller does not mean that the service cannot be access from elsewhere (another action for instance).

So, you'll use RouteGuard to protect your routes, while you use RoleProvider permissions to protect your services. (You must always protect your services.)

Also, take a look at https://github.com/ZF-Commons/zfc-rbac/issues/182

ghost commented 10 years ago

Thanx danizord it was clear from debugging that guards don't use permissions but i had to ask it just to clarify it.

danizord commented 10 years ago

@svmashtaler so, this issue can be closed? :)

ghost commented 10 years ago

Yes sure it can be closed, thank you.

davidwindell commented 10 years ago

@svmashtaler can you close this issue?