2.0 - Simplified roles #9

Open
wants to merge 49 commits into
from

Conversation

Projects
None yet
3 participants
@mnapoli
Member

mnapoli commented May 22, 2014

  • master: Build Status Coverage Status Scrutinizer Code Quality
  • branch: Build Status Coverage Status Scrutinizer Code Quality

Role definitions

Updated example:

$roles = [
    'ArticleEditor' => [
        'resource' => Article::class,
        'actions' => new Actions([Actions::VIEW, Actions::EDIT]),
    ], // same as the next one
    'ArticleEditor' => [
        'resource' => Article::class,
        'authorizations' => function (ACL $acl, RoleEntry $role, Article $article) {
            $acl->allow(
                $role->getSecurityIdentity(),
                new Actions([Actions::VIEW, Actions::EDIT]),
                $article,
                $role
            );
        },
    ],
    'CategoryManager' => [
        'resource' => new ClassResource(Article::class),
        'actions' => new Actions([Actions::VIEW, Actions::EDIT]),
    ],
    'Administrator' => function (ACL $acl, RoleEntry $role) {
        $allArticles = new ClassResource(Article::class);
        $acl->allow($role->getSecurityIdentity(), Actions::all(), $allArticles, $role);
    },
    'BackendUser' => [
        'resource' => new VirtualResource('backend'),
        'actions' => new Actions([Actions::VIEW]),
    ],
    'BackendAdministrator' => function (ACL $acl, RoleEntry $role) {
        $allArticles = new VirtualResource('backend');
        $acl->allow($role->getSecurityIdentity(), Actions::all(), $allArticles, $role);
    }
];

Grant

Before:

$acl->grant($user, new ArticleEditorRole($user, $article));
$acl->grant($user, new Administrator($user));

After:

$acl->grant($user, 'ArticleEditor', $article);
$acl->grant($user, 'Administrator');

TODO

  • Simplified role definitions

  • #13 Unified handling of resources through ResourceInterface and ResourceId

  • Add isGranted($role)

  • Simplified ACL Doctrine setup ?

  • Update documentation

  • Upgrading guide

  • Document RoleEntryRepository::findByRoleAndResource($roleName, $resource)

  • Remove unGrant()

  • Rename SecurityIdentityInterface to Identity

  • PHP 5.5

  • More tests?

    Removed from 2.0:

  • Virtual resources (would impact too much how ResourceId works, lot of work, might need a new column in database)

  • Decouple from Doctrine to allow alternative backends: too much work for now

@benjaminbertin

This comment has been minimized.

Show comment
Hide comment
@benjaminbertin

benjaminbertin May 22, 2014

Member

Why not have a simple method to allow a role on multiple resources?

$roles = [
    'ArticleAndCategoryEditor' => [
        [
            'resource' => new ClassResource(Article::class),
            'actions' => [Actions::VIEW, Actions::EDIT]
        ],
        [
            'resource' => new ClassResource(Category::class),
            'actions' => [Actions::VIEW, Actions::EDIT]
        ]
    ],
];
Member

benjaminbertin commented May 22, 2014

Why not have a simple method to allow a role on multiple resources?

$roles = [
    'ArticleAndCategoryEditor' => [
        [
            'resource' => new ClassResource(Article::class),
            'actions' => [Actions::VIEW, Actions::EDIT]
        ],
        [
            'resource' => new ClassResource(Category::class),
            'actions' => [Actions::VIEW, Actions::EDIT]
        ]
    ],
];
@mnapoli

This comment has been minimized.

Show comment
Hide comment
@mnapoli

mnapoli May 22, 2014

Member
$roles = [
    'ArticleEditor' => [
        'resource' => Article::class,
        'actions' => [Actions::VIEW, Actions::EDIT],
    ],
];

is the same as

$roles = [
    'ArticleEditor' => [
        'resource' => Article::class,
        'authorizations' => function (ACL $acl, Role $role, Article $article) {
            $acl->allow(
                $user,
                new Actions([Actions::VIEW, Actions::EDIT),
                $article,
                $role
            );
        },
    ],
];
Member

mnapoli commented May 22, 2014

$roles = [
    'ArticleEditor' => [
        'resource' => Article::class,
        'actions' => [Actions::VIEW, Actions::EDIT],
    ],
];

is the same as

$roles = [
    'ArticleEditor' => [
        'resource' => Article::class,
        'authorizations' => function (ACL $acl, Role $role, Article $article) {
            $acl->allow(
                $user,
                new Actions([Actions::VIEW, Actions::EDIT),
                $article,
                $role
            );
        },
    ],
];
@benjaminbertin

This comment has been minimized.

Show comment
Hide comment
@benjaminbertin

benjaminbertin May 22, 2014

Member

IsAllowed should accept a resource as a string, then we could create a virtual resource (like an application backend).

Member

benjaminbertin commented May 22, 2014

IsAllowed should accept a resource as a string, then we could create a virtual resource (like an application backend).

@benjaminbertin

This comment has been minimized.

Show comment
Hide comment
@benjaminbertin

benjaminbertin May 22, 2014

Member

All the possible roles definition could be:

$roles = [
    'ArticleEditor' => [
        'resource' => Article::class,
        'actions' => [Actions::VIEW, Actions::EDIT],
    ], // same as the next one
    'ArticleEditor' => [
        'resource' => Article::class,
        'authorizations' => function (ACL $acl, Role $role, Article $article) {
            $acl->allow(
                $role->getSecurityIdentity(),
                new Actions([Actions::VIEW, Actions::EDIT]),
                $article,
                $role
            );
        },
    ],
    'CategoryManager' => [
        'resource' => ClassResource::get(Article::class),
        'actions' => [Actions::VIEW, Actions::EDIT]
    ],
    'Administrator' => function (ACL $acl, Role $role) {
        $allArticles = ClassResource::get(Article::class);
        $acl->allow($role->getSecurityIdentity(), Actions::all(), $allArticles, $role);
    },
    'BackendUser' => [
        'resource' => VirtualResource::get('backend'),
        'actions' => [Actions::VIEW]
    ],
    'BackendAdministrator' => function (ACL $acl, Role $role) {
        $allArticles = VirtualResource:get('backend');
        $acl->allow($role->getSecurityIdentity(), Actions::all(), $allArticles, $role);
    }
];
Member

benjaminbertin commented May 22, 2014

All the possible roles definition could be:

$roles = [
    'ArticleEditor' => [
        'resource' => Article::class,
        'actions' => [Actions::VIEW, Actions::EDIT],
    ], // same as the next one
    'ArticleEditor' => [
        'resource' => Article::class,
        'authorizations' => function (ACL $acl, Role $role, Article $article) {
            $acl->allow(
                $role->getSecurityIdentity(),
                new Actions([Actions::VIEW, Actions::EDIT]),
                $article,
                $role
            );
        },
    ],
    'CategoryManager' => [
        'resource' => ClassResource::get(Article::class),
        'actions' => [Actions::VIEW, Actions::EDIT]
    ],
    'Administrator' => function (ACL $acl, Role $role) {
        $allArticles = ClassResource::get(Article::class);
        $acl->allow($role->getSecurityIdentity(), Actions::all(), $allArticles, $role);
    },
    'BackendUser' => [
        'resource' => VirtualResource::get('backend'),
        'actions' => [Actions::VIEW]
    ],
    'BackendAdministrator' => function (ACL $acl, Role $role) {
        $allArticles = VirtualResource:get('backend');
        $acl->allow($role->getSecurityIdentity(), Actions::all(), $allArticles, $role);
    }
];

@mnapoli mnapoli added this to the 2.0 milestone May 22, 2014

@mnapoli mnapoli added the enhancement label Jun 19, 2014

mnapoli added some commits Jun 27, 2014

Merge pull request #13 from myclabs/feature/unified-resource-id
Unified handling of resources through ResourceInterface and ResourceId

@mnapoli mnapoli changed the title from Simplified roles to 2.0 Jun 30, 2014

@mnapoli mnapoli changed the title from 2.0 to 2.0 - Simplified roles Jun 30, 2014

@Evertt

This comment has been minimized.

Show comment
Hide comment
@Evertt

Evertt Oct 19, 2014

Hey are you guys still working on this project? I was trying to implement this library using your guide on github.io, but after I implemented the Role-classes I suddenly couldn't use the doctrine console anymore to update the database schema (more info here).

I'd love to see this pull-request get completed, because it looks like a lot easier way to define roles. Or is this project dead and would you guys recommend me to try another library?

Evertt commented Oct 19, 2014

Hey are you guys still working on this project? I was trying to implement this library using your guide on github.io, but after I implemented the Role-classes I suddenly couldn't use the doctrine console anymore to update the database schema (more info here).

I'd love to see this pull-request get completed, because it looks like a lot easier way to define roles. Or is this project dead and would you guys recommend me to try another library?

@mnapoli

This comment has been minimized.

Show comment
Hide comment
@mnapoli

mnapoli Oct 20, 2014

Member

@Evertt unfortunately this branch will probably not get merged (anytime soon at least).

The current version should work fine, it is used in production (I said should because the problem you are facing looks tricky!). However there is no big refactoring or new features planned for all I know. Bugfixes will be merged, but probably will not be provided by us if you find one. I hope that answers your questions :) (in short if you want full support and maintenance, you might not want this)

And I have no idea what's happening in your console sorry :(

Member

mnapoli commented Oct 20, 2014

@Evertt unfortunately this branch will probably not get merged (anytime soon at least).

The current version should work fine, it is used in production (I said should because the problem you are facing looks tricky!). However there is no big refactoring or new features planned for all I know. Bugfixes will be merged, but probably will not be provided by us if you find one. I hope that answers your questions :) (in short if you want full support and maintenance, you might not want this)

And I have no idea what's happening in your console sorry :(

@mnapoli

This comment has been minimized.

Show comment
Hide comment
@mnapoli

mnapoli Oct 20, 2014

Member

To expand a bit: the production will stay at v1.* so if there's a 2.0, it's hard to maintain it without running it ourselves. That's why this PR is stalled right now.

Member

mnapoli commented Oct 20, 2014

To expand a bit: the production will stay at v1.* so if there's a 2.0, it's hard to maintain it without running it ourselves. That's why this PR is stalled right now.

@mnapoli mnapoli referenced this pull request Dec 7, 2015

Closed

Revoking a role #19

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment