search

ZF-Commons / zfc-rbac

Role-based access control module to provide additional features on top of Zend\Permissions\Rbac
BSD 3-Clause "New" or "Revised" License
181 stars 111 forks source link

[RFC] [3.x] Guards with Method Interception #244

Open aeneasr opened 10 years ago

aeneasr commented 10 years ago

Service protection is still a pain. It needs a lot of boilerplate code (DI, isGranted()) and coupling is encouraged by requiring the dev to inject the AuthorizationService. There is something called method interception which translates to a configurable way for protecting services and classes.

Here are some examples how that could work:

Array

'service_guard' => [
    'My\Namespace\MyService' => [
        'myMethod' => [
            'myPermission'
        ]
    ]
];

Annotations

/**
 * @ServiceGuard\RequiresPermission({'foo', 'bar'}, @Authorization\Or)
 * @ServiceGuard\SetContext('param1')
 */
public function doSomething($param1, $param2)
{
    //...
}

/**
 * @ServiceGuard\RequiresPermission({'foo', 'bar'}, @Authorization\Or)
 * @ServiceGuard\SetContextProvider('MyNamespace\Context\Provider')
 */
public function doSomething($param1, $param2)
{
    //...
}

XML

<?xml ...
<zfc-rbac-service-guard xmlns...>
 <service class="MyNamespace\Service\MyService">
  <method name="foo">
   <requires operator="or">
    <permission name="foo">
    <permission name="bar">
   </requires>
   <context />
  </method>
 </service>
</zfc-rbac>

Java is doing this and there are some frameworks out there which provide that functionality, so go ahead and give it a read:

There are already some interceptor implementations for PHP:

What do you think? Your feedback is much appreciated!

aeneasr commented 10 years ago

Ping @jmleroux, @danizord, @bakura10, @ocramius ?

jmleroux commented 10 years ago

I don't like annotations ! ;) I prefer to centralize permissions in one file. This is just a personnel preference (not talking about the performance overheat to parse annotations). But i know that many people love annotations, so why not.

jmleroux commented 10 years ago

It coulk make sense for controller guards, or service protections. But for route guards, i definitly prefer a config file.

aeneasr commented 10 years ago

It's definately a feature for service protections :)

aeneasr commented 10 years ago

I have done some research and updated the RFC accordingly