Removing User's access to a Resource.

[dennis-fedco]

Suppose that user has access to controller/zfcuser:someaction at the start of the application. Later, as the application is running, I need to remove that user's access to someaction.

How, if at all, can I do this?

[dennis-fedco]

Similarly, I see there is a way to specify allow() and deny() rules via configuration, but then Controller Guard, for example, only takes allow() rules. Where, if at all, the deny() rules are being used and what is their purpose when current model seems to be allow what is in allow() and deny everything else?

[Ocramius]

@dennis-fedco that is indeed a new feature request - right now, the ACL is static across the entire Application runtime. will need to allow changing that.

[dennis-fedco]

Question: does it even matter if this feature is done or not? Or are you thinking of something else?

It seems that BjyAuthorize is re-loading all configuration on every page load anyway, no?

Maybe it's the way I use it (my roles and my guards and my rules are Doctrinified now), but I have the same 4 queries loading on every page load. (SELECT from Rules, roles, users, and user_role connector tables)

But without Doctrine, loading from config, removing relevant lines from config should have immediate effect on next page load, no? So I don't see why this issue is an issue. Just remove the "Allow" rule from its storage area (be it config, DB, or ORM), and upon next page load it will take effect. No extra code needed (?)

EDIT: if somehow ACL is made to persist across multiple various page loads, then yeah we need a deny() feature. But I don't think that kind of persistence is happening at the moment.

[Ocramius]

@dennis-fedco there's currently no way to cache the user role effectively. What you can do is using a different serialization instead of an association, or Doctrine's L2 cache feature