fivelab/authorize-action

The library for authorize action before executing.

v1.0.0 2017-08-20 13:48 UTC

README

Add functionality for authorize action before executing.

Requirements

  • PHP 7.1 or higher

Installation

Add AuthorizeAction package in your composer.json:

{
    "require": {
        "fivelab/authorize-action": "~1.0"
    }
}

Now tell composer to download the library by running the command:

$ php composer.phar update fivelab/authorize-action

Why?

In many cases, you should check grants before executing command/code. This library add functionality for easy declare the authorize action and verify the action before executing.

Examples:

For start, you should declare the authorize action. The action should implement FiveLab\Component\AuthorizeAction\Action\AuthorizeActionInterface:

<?php

namespace Application\Security;

use FiveLab\Component\AuthorizeAction\Action\AuthorizeActionInterface;

/**
 * The authorize action for check grants for edit post
 */
class EditPostAction implements AuthorizeActionInterface
{
    /**
     * @var int
     */
    public $id;
    
    /**
     * Constructor.
     * 
     * @param int $postId 
     */
    public function __construct(int $postId) 
    {
        $this->id = $postId;        
    }
}

Secondary, you should declare the verifier for verifying this action. The verifier should implement FiveLab\Component\AuthorizeAction\Verifier\AuthorizeActionVerifierInterface:

<?php

namespace Application\Security\Verifier;

use Application\Security\EditPostAction;
use FiveLab\Component\AuthorizeAction\Action\AuthorizeActionInterface;
use FiveLab\Component\AuthorizeAction\Verifier\AuthorizeActionVerifierInterface;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;

class EditPostVerifier implements AuthorizeActionVerifierInterface
{
    /**
     * {@inheritdoc} 
     */
    public function supports(AuthorizeActionInterface $action, UserInterface $user): bool 
    {
        return $action instanceof EditPostAction;
    }
    
    /**
     * {@inheritdoc} 
     */
    public function verify(AuthorizeActionInterface $action, UserInterface $user): void 
    {
        if (!$user->isSuperAdmin() && !$user->isCopywriter()) {
            throw new AccessDeniedException();
        }
    }
}

Attention: the verifier should throw AccessDeniedException if the action not verified.

In last step you should create the authorization checker:

<?php

use Application\Security\Verifier\EditPostVerifier;
use FiveLab\Component\AuthorizeAction\AuthorizationChecker;
use FiveLab\Component\AuthorizeAction\Verifier\AuthorizeActionVerifierChain;
use FiveLab\Component\AuthorizeAction\UserProvider\SymfonyTokenStorageUserProvider;
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;

$tokenStorage = new TokenStorage();
$userProvider = new SymfonyTokenStorageUserProvider($tokenStorage);

$verifierChain = new AuthorizeActionVerifierChain();
$verifierChain->add(new EditPostVerifier());

$authorizationChecker = new AuthorizationChecker($verifierChain, $userProvider);

Great! After creating the checker you can check right for executing action:

$authorizationChecker->verify(new EditPostAction($postId));

Attention: If the action not verified (not granted) the authorization check throws AccessDeniedException.

License

This library is under the MIT license. See the complete license in library

LICENSE

Reporting an issue or a feature request

Issues and feature requests are tracked in the Github issue tracker.

Contributors:

Thanks to everyone participating in the development of this AuthorizeAction library!