mouf/security.rightsservice-splash

This package contains a set of class to bind the Splash MVC framework (>=v4) with the RightsService component. It features: a @RequiresRight annotation to restrict access to logged users only.

v4.1.0 2015-11-16 15:43 UTC

README

This package is part of the Mouf PHP framework and contains the @Right annotation that integrates the Splash MVC framework with the RightsService.

This package provides one useful filter:

The @Right annotation

This filter can be used in any action. If you put this annotation, the user will be denied access if he does not possess the specified right.

/**
 * A sample default action that requires to have the "ACCESS_ADMIN_RIGHT" right.
 *
 * @URL /admin
 * @Right("ACCESS_ADMIN_RIGHT")
 */
public function index() { ... }

The @Right annotation requires an instance of ForbiddenMiddleware to exist. The name of the instance must be ForbiddenMiddleware::class. If your ForbiddenMiddleware instance is not named ForbiddenMiddleware::class (or if you want to use several ForbiddenMiddleware instances, you can specify the instance of middleware to use in parameter of the annotation:

/**
 * A sample default action that requires to have the "ACCESS_ADMIN_RIGHT" right.
 *
 * @URL /admin
 * @Right(name="ACCESS_ADMIN_RIGHT",instance="myForbiddenMiddleware")
 */
public function index() { ... }

Composite rights: the @AndRight and @OrRight annotations

Occasionally, you might want to check if a user has 2 rights (and), or one of two rights (or).

To do this, instead of passing a string to the @Right annotation, you can pass a @AndRight or a @OrRight annotation.

For instance, to check that a user has both the CAN_DO_THIS and CAN_DO_THAT rights, you should use:

/**
 * An action that requires to have both the "CAN_DO_THIS" and "CAN_DO_THAT" right.
 *
 * @URL /admin
 * @Right(@AndRight({@Right("CAN_DO_THIS"), @Right("CAN_DO_THAT")}))
 */
public function index() { ... }

If instead, you want to check that a user has one right amongst many, you would use the @OrRight:

/**
 * An action that requires to have either the "CAN_DO_THIS" or "CAN_DO_THAT" right.
 *
 * @URL /admin
 * @Right(@OrRight({@Right("CAN_DO_THIS"), @Right("CAN_DO_THAT")}))
 */
public function index() { ... }

You can also combine @AndRight and @OrRight annotations as long as the top-most annotation is a @Right. Also, if you need to combine complex rights, you should probably start to question your right system and refactor it. @AndRight and @OrRight should really be used sparsely.