Hello Daniel,
Currently, the API of our security aware routes looks like the following:
class SecureObjectRoute
{
public function getObjectAuthorizedFor(sfUser $user);
public function verifyAccess($user, $object);
}
So yes, you can ask the route whether the user has access to the given
object. Instead of getObject(), you have to call
getObjectAuthorizedFor() and pass the current user object to it. The
route implementation itself may choose how the required credentials
are determined, you simply have to override verifyAccess() for that.
You could, for example, pass the credentials in the route options (we
combine the given credentials with the model name for more advanced
credentials, e.g. credential "edit" becomes
"edit-modelname-restricted" and "edit-modelname-unrestricted").
There is one flaw though that is inherent to the current design of
sfPatternRouting. First of all, it is not possible to verify access on
non-object routes, because on these routes getObjectAuthorizedFor()
obviously is not called. A solution to this problem would be a new
routing (e.g. sfSecurePatternRouting) that has access to the current
sfUser object. The user may then be passed to eventual secure routes.
Another potential design flaw is that an action that is secured by
using one route may not be secured by using a differently configured
route. On the other hand, in the current design it is possible to
access secured _objects_ through one action that you cannot access
through another. I usually bypass this problem by creating custom
routes for all objects that are requested through the routing, for
example
class ArticleRoute extends SecureObjectRoute
{
public function __construct(...)
{
$options['model'] = 'Article';
$options['type'] = 'list';
$requirements['id'] = '\d+';
// etc.
parent::__construct(...);
}
public function verifyAccess(...)
{
// possible customization
}
}
Whenever I want to access an article, I configure the routing to use
the ArticleRoute. This has also the benefit that you avoid the amount
of configuration duplication by configuring everything shared by all
article routes in the ArticleRoute constructor (e.g. model, type,
requirements etc.).
Bernhard
--
Software Architect & Engineer
Blog: http://webmozarts.com
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
-~----------~----~----~----~------~----~------~--~---
