Hi all, I've a question about user authorization check on ZF2.
Let's suppose I have a list of entities, each owned by a single user (on database point of view this consists in a table with a column that holds the user ID) and I want to be sure the user can got access only to owned entities. I usually use BjyAuthorize to deal with all ACL-related needs.
Let's suppose I have a Service ($myService in following code) that manages entity persistence, typically I inject the BjyAhtorize's Authorize class (\BjyAuthorize\Service\Authorize) inside its constructor. Performing all ACL checks inside the Service layer, I'm sure the entities are "protected" whatever controller and action is used to interact with them. Considering the following two use cases, this is a way to handle them: - retrieve / edit / delete a single entity (e.g. "$myService->[get|edit|delete]Entity()" method, without input params): to check if logged user could really use that entity, I call the "isAllowed" method provided by Authorize class (previously injected into the Service). To make this work, a rule with an assertion has been previously defined inside BjyAuthorize config. - retrieve a list of entities, filtered by some custom criteria (e.g. "$myService->getAllEntitiesBySomeCriteria($entityOwner)" method): user that owns the entity is passed directly as input parameter; it's ID is then used inside the database query to filter results. If the $entityOwner corresponds to logged user (and then we know it before Service instantiation), it could be injected inside Service constructor (as done with Authorize class).
I'm wondering if these are proper ways to handle this. Thanks in advance, Stefano -- List: fw-general@lists.zend.com Info: http://framework.zend.com/archives Unsubscribe: fw-general-unsubscr...@lists.zend.com
