add permissions capacity to RouteGuard and ControllerGuard

[jmleroux]

Another way to manage permissions checks for RouteGuard as an alternative to #238

Discussion is open. ;)

[coveralls]

Coverage increased (+0.24%) when pulling d580bff on jmleroux:permissions-guards into 397c676 on ZF-Commons:master.

[coveralls]

Coverage increased (+0.05%) when pulling 2819ed0 on jmleroux:permissions-guards into 397c676 on ZF-Commons:master.

[jmleroux]

I prefer this way for checking permissions.

@arekkas, @danizord, @bakura10, @Ocramius ?

[aeneasr]

It is not clear to me, that 'roles' => 'foo' override (AND operation) 'permission' => 'bar' you would actually need a setting for that. Take this config for example:

'My\Controller' => [
    'roles' => ['admin'],
    'permission' => ['mayAccess']
]

I think it is preferable to do something like this:

'My\Controller' => [
    'roles' => ['admin'],
    'permission' => ['mayAccess'],
    'operator' => GuardInterface::OR_OPERATOR
]

[jmleroux]

Like discussed in #238, it will be another PR.
I keep it simple first.

[aeneasr]

@bakura10 and me hat a discussion some while back where we talked about this exact thing. He pointed out, that Guards should not be the single point of authorization but rather an additional security measure in your logic. Allowing programmers to add permissions could result in the neglect of implementing security measures in their respective services.

However it seems as if #238 changed his mind. I think checking for permissions in controllers is a very convenient feature and I do approve of that.

[coveralls]

Coverage increased (+0.23%) when pulling 2b40a1b on jmleroux:permissions-guards into 397c676 on ZF-Commons:master.

[jmleroux]

For me, not being able to check for permissions in route guards make it impossible to use ZfcRbac 2.x in lots of applications. I kept stuck with 0.2.
And i think i'm not the only one...

[coveralls]

Coverage increased (+0.23%) when pulling 68d4dce on jmleroux:permissions-guards into 397c676 on ZF-Commons:master.

[davidwindell]

@jmleroux so I don't have to look through the commits, can you summarise what is different between this and #238?

[jmleroux]

@davidwindell
#238 uses a dedicated RoutePermissionsGuard. This PR add the permissions capabilities directly to RouteGuard.

[davidwindell]

@jmleroux how does this work if you have a ROLE and a PERMISSION, is it an or between these just as multiple roles/permissions would be an OR (for now)?

[jmleroux]

For now, if there is a 'roles' key in configuration, then access is verified against roles. Permissions will not be tested.
Maybe i will throw an exception if both keys are present.
I don't think it's a good idea to mix roles and permissions. Do you have an example for mxing the two ?

[davidwindell]

I think it would be better kept separate tbh as in #238, it would make configuration files cleaner when there are lots of routes.

[jmleroux]

I think it would be better kept separate tbh as in #238, it would make configuration files cleaner when there are lots of routes.

It's a choice.
For my part, I have not yet chosen. 😄

Others ?

[coveralls]

Coverage increased (+0.07%) when pulling 74e84a7 on jmleroux:permissions-guards into 397c676 on ZF-Commons:master.

[aeneasr]

I think it would be better kept separate tbh as in #238, it would make configuration files cleaner when there are lots of routes.

agreed!

[jmleroux]

AAArrrggghhh :)

So this PR is unnecessary. 😬 ?

[jmleroux]

Closing this one, as it seems the separation between guards is the preferred one.