Routes and permissions in Alpha 2.0

 
Published on 2015-05-23 by John Collins.

Introduction

In the new HTTP routing API under development in Alpha 2.0, a typical route would be set up in the FrontController like so:

$this->addRoute('/cache', function($request) {
    $controller = new CacheController();
    return $controller->process($request);
});

This is great for routing /cache requests to the CacheController, but what about applying permissions, i.e. who can access the CacheController? Presently in Alpha 1.x, a controller sets it's rights group level permissions on construction, and then proceeds to check if the current user belongs to that group before allowing them access to the controller. This proposal is designed to improve on that.

New permissions API

In the above closure, the following would be added:

$controller->grantAccess($rightsGroup, array('POST', 'PUT', 'DELETE'));
$controller->grantAccess('Public', array('GET'));

So we can make multiple grantAccess() calls to give different rights groups access to different controller methods.

The main benefits are:

  1. Finer grain permissions (access control applied to controller methods rather than just controllers).
  2. Permissions are centralized with routes in the FrontController, rather than being spread throughout the controllers as they are presently.

Implications

There are some code implications to this change that will require some refactoring:

  1. The checkRights() calls will no longer be required in the controller constructors.
  2. The calls to checkRights() should be moved to the new Controller::process() method chain, therefore grantAccess() should be called before process().
  3. The 'Public' pseudo group should remain as a convenience.

The ticket to track this change is on Github here.