Skip to content
This repository has been archived by the owner on Jul 3, 2020. It is now read-only.

RouteGuard rule vs RoleProvider permissions #193

Closed
ghost opened this issue Feb 12, 2014 · 5 comments
Closed

RouteGuard rule vs RoleProvider permissions #193

ghost opened this issue Feb 12, 2014 · 5 comments

Comments

@ghost
Copy link

ghost commented Feb 12, 2014

I have a question regarding usage of RouteGuard rules and RoleProvider permissions.
What is the use of RoleProvider permissions if i have RoutGuard rules set? Are they ever being used? I don see any change if i have RoleProvider permissionsor not. Am i doing something wrong?
Here is a sample of my zfc_rbac config:

'zfc_rbac' => [

    /**
     * Set the guards
     */
    'guards' => [
        'ZfcRbac\Guard\RouteGuard' => [
            'home'              => ['*'],
            'post/read'        => ['guest'],
            'post/add'         => ['user'],
            'post/edit'         => ['admin'],
        ]
    ],

    'protection_policy' => \ZfcRbac\Guard\GuardInterface::POLICY_DENY,

    /**
     * Configuration for role provider
     *
     */
    'role_provider' => [
        'ZfcRbac\Role\InMemoryRoleProvider' => [
            'admin' => [
                'children'       => ['user'],
                'permissions' => ['post.edit']
            ],
            'user'  => [
                'children'       => ['guest'],
                'permissions' => ['post.add']
            ],
            'guest' => [
                'permissions' => ['post.read']
            ]
        ]
    ],
]
@danizord
Copy link
Member

See a quote from Guards docs:

Guards are not really aware of permissions (it does not make any sense) but rather only think about "roles". For instance, you may want to refuse access to each routes that begin by "admin/*" to all users that do not have the "admin" role.
Albeit simple to use, guards should not be the only protection in your application, and you should always also protect your service. The reason is that your business logic should be handled by your service. Protecting a given route or controller does not mean that the service cannot be access from elsewhere (another action for instance).

So, you'll use RouteGuard to protect your routes, while you use RoleProvider permissions to protect your services. (You must always protect your services.)

Also, take a look at #182

@ghost
Copy link
Author

ghost commented Feb 13, 2014

Thanx danizord it was clear from debugging that guards don't use permissions but i had to ask it just to clarify it.

@danizord
Copy link
Member

@svmashtaler so, this issue can be closed? :)

@ghost
Copy link
Author

ghost commented Mar 14, 2014

Yes sure it can be closed, thank you.

@davidwindell
Copy link
Contributor

@svmashtaler can you close this issue?

@ghost ghost closed this as completed Apr 24, 2014
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davidwindell @danizord