User authorization check using BjyAuthorize on Service layer

Previous Topic Next Topic
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view

User authorization check using BjyAuthorize on Service layer

Stefano Valle
Hi all, I've a question about user authorization check on ZF2.

Let's suppose I have a list of entities, each owned by a single user (on
database point of view this consists in a table with a column that holds
the user ID) and I want to be sure the user can got access only to owned
entities. I usually use BjyAuthorize to deal with all ACL-related needs.

Let's suppose I have a Service ($myService in following code) that
manages entity persistence, typically I inject the BjyAhtorize's
Authorize class (\BjyAuthorize\Service\Authorize) inside its
constructor. Performing all ACL checks inside the Service layer, I'm
sure the entities are "protected" whatever controller and action is used
to interact with them. Considering the following two use cases, this is
a way to handle them:
- retrieve / edit / delete a single entity (e.g.
"$myService->[get|edit|delete]Entity()" method, without input params):
to check if logged user could really use that entity, I call the
"isAllowed" method provided by Authorize class (previously injected into
the Service). To make this work, a rule with an assertion has been
previously defined inside BjyAuthorize config.
- retrieve a list of entities, filtered by some custom criteria (e.g.
"$myService->getAllEntitiesBySomeCriteria($entityOwner)" method): user
that owns the entity is passed directly as input parameter; it's ID is
then used inside the database query to filter results. If the
$entityOwner corresponds to logged user (and then we know it before
Service instantiation), it could be injected inside Service constructor
(as done with Authorize class).

I'm wondering if these are proper ways to handle this.

Thanks in advance,

List: [hidden email]
Unsubscribe: [hidden email]

Reply | Threaded
Open this post in threaded view

Re: User authorization check using BjyAuthorize on Service layer

Hi Stefano,
I've seen your slides reagarding your question:
Instant ACLs with Zend Framework 2

Unfortunately I could not make the assertions work when following your code.

Instead of your Conference I have a Doctrine Entity named Contract. But somehow the Assertion does not seem to picked up by BjyAuthorize. Instead I get a "regular" ACL error:
Catchable fatal error: Object of class Application\Entity\Contract could not be converted to string in /home/../zendframework/library/Zend/Permissions/Acl/Acl.php on line 288

Looks like ACL is looking for the getResource() / getResourceId() method of a class that implements a roleprovider.

How did you achieve it?