Assertions implementation

[jguittard]

• [x] I was not able to find an open or closed issue matching what I'm seeing.

Provide a narrative description of what you are trying to accomplish.

Why is ZendRbacAssertionInterface is directly injected in ZendRbac itself? It prevents from having a per-access control assertion configuration and implies having a potential whole set of assertions living within one class. I'd expect the assertion to be passed through Zend\Expressive\Authorization\Rbac\ZendRbac::isGranted method.

Maybe am I missing something about the way it's been designed?

[ezimuel]

@jguittard the ZendRbacAssertionInterface is an extension of Zend\Permissions\Rbac\AssertionInterface, that is an interface to implement dynamic assertions in RBAC.

A dynamic assertion is an optional additional check that can be implemented to specialize the authorization based on additional information taken from the request. In many cases, you will not need such dynamic assertion, and if you don't provide a ZendRbacAssertionInterface service the ZendRbac adapter will not use it. I designed to be passed as optional dependency in ZendRbac because we need a single class to be able to react based on the request, see the setRequest() usage here. If we add it in the isGranted() method, how we can pass different assertion classes? If you see the ZendRbacAssertionInterface as a factory (or routing) class, you can specialize it to consume specific classes for different business logic, based on the HTTP request.