Skip to content
This repository was archived by the owner on Jan 30, 2020. It is now read-only.

Ownership assertion #3

Closed
nikolaposa wants to merge 2 commits into from
Closed

Ownership assertion #3

nikolaposa wants to merge 2 commits into from

Conversation

@nikolaposa
Copy link
Contributor

@nikolaposa nikolaposa commented Jun 28, 2015

Intent

When setting up permissions for some application, there is a common use case of allowing some role to manipulate with resources owned by the user which has that certain role. For example, blog author should have permission to write new posts, but he/she should also have permission to modify his/her own posts, and not posts of other authors.

Solution

  • ProprietaryInterface - applicable to Resources and Roles. Provides information about the owner of some object. Used in conjunction with the OwnershipAssertion.
  • OwnershipAssertion - makes sure that some resource is owned by certain role, by comparing owners provided by the ProprietaryInterface implementations.

Use-case

Entities:

namespace MyApp\Entity;

use Zend\Permissions\Acl;

class User implements Acl\Role\RoleInterface, Acl\ProprietaryInterface
{
    protected $id;

    protected $role = 'guest';

    public function __construct($id, $role)
    {
        $this->id = $id;
        $this->role = $role;
    }

    public function getRoleId()
    {
        return $this->role;
    }

    public function getOwnerId()
    {
        return $this->id;
    }
}

class BlogPost implements Acl\Resource\ResourceInterface, Acl\ProprietaryInterface
{
    public $author = null;

    public function getResourceId()
    {
        return 'blogPost';
    }

    public function getOwnerId()
    {
        if ($this->author === null) {
            return null;
        }

        return $this->author->getOwnerId();
    }
}

Usage example:

namespace MyApp;

use MyApp\Entity;
use Zend\Permissions\Acl;

$acl = new Acl\Acl();
$acl->addRole('guest');
$acl->addRole('member', 'guest');
$acl->addRole('author', 'member');
$acl->addRole('admin');

$acl->addResource('blogPost');
$acl->addResource('comment');

$acl->allow('guest', 'blogPost', 'view');
$acl->allow('guest', 'comment', array('view', 'submit'));
$acl->allow('author', 'blogPost', 'write');
$acl->allow('author', 'blogPost', 'edit', new Acl\Assertion\OwnershipAssertion());
$acl->allow('admin');

$author1 = new User(1, 'author');
$author2 = new User(2, 'author');

$blogPost = new BlogPost();
$blogPost->author = $author1;

$acl->isAllowed($author1, 'blogPost', 'write'); //true
$acl->isAllowed($author1, $blogPost, 'edit'); //true
$acl->isAllowed($author2, 'blogPost', 'write'); //true
$acl->isAllowed($author2, $blogPost, 'edit'); //FALSE

@nikolaposa
Copy link
Contributor Author

nikolaposa commented Aug 15, 2015

Is there anything else I should do in order for this PR to be accepted? Any other comments?

@weierophinney weierophinney added this to the 2.7.0 milestone May 1, 2018
weierophinney added a commit that referenced this pull request May 1, 2018
@weierophinney
Adds documentation for #3 (ownership assertions)
187e466 
Based on the wonderful issue description!
weierophinney added a commit that referenced this pull request May 1, 2018
@weierophinney
Adds CHANGELOG entry for #3
dc5ae74
weierophinney added a commit that referenced this pull request May 1, 2018
@weierophinney
Merge branch 'feature/3-ownership-assertion' into develop
00f177b 
Close #3
@weierophinney
Copy link
Member

weierophinney commented May 1, 2018

Thanks, @nikolaposa! I have created documentation for the feature during merge, and this will release with 2.7.0.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.7.0

Development

Successfully merging this pull request may close these issues.

4 participants

@nikolaposa @weierophinney @larsnystrom @adamlundrigan