Protection Policy at Guard Level

[davidwindell]

I have two route guards - role and permission based.

I already have the role guards setup with a default DENY policy, but with two guards it doesn't make sense to have them both denying, I would like the be able to make permissions ALLOW by default.

[davidwindell]

@bakura10 I was able to achieve this with the below (not a real life example), but it's a bit hacky. Essentially my permission route guard has a wildcard which affects any routes not mentioned above this. That way, the role guard operates in DENY mode, whereas the permission guard operates in a pseudo ALLOW mode

'zfc_rbac' => [
    'protection_policy' => GuardInterface::POLICY_DENY,
    'guards' => [
        'ZfcRbac\Guard\RouteGuard' => [
            'app/calendar' => Role::EVENT_MANAGER,
        ],
        'ZfcRbac\Guard\RoutePermissionsGuard' => [
            'app/something*' => Permission::ALLOW_THIS,
            '*' => '*',
        ]
    ]
]

EDIT This only works when the order is correct, so merging multiple configs leaves the wildcard rule above others which breaks the hack.

[davidwindell]

I'm not sure how this would look in practice...perhaps the below as an option? Retaining the old method as a default for BC and ease of config?

'zfc_rbac' => [
    'protection_policy' => GuardInterface::POLICY_DENY,
    'guards' => [
        'ZfcRbac\Guard\RouteGuard' => [
            'app/calendar' => Role::EVENT_MANAGER,
        ],
        'ZfcRbac\Guard\RoutePermissionsGuard' => [
            'protection_policy' => GuardInterface::POLICY_ALLOW,
            'rules' => [
                'app/something*' => Permission::ALLOW_THIS,
                '*' => '*',
            ]
        ]
    ]
]

What do you think?

[jmleroux]

Could be interesting. ping @bakura10