2

I couldn't understand a concept when using ZfcRbac.

1. I use my own User entity with implementing ZfcRbac\Identity\IdentityInterface

2. This interface has addRole and getRoles methods and getRoles() should return array of Rbac\Role\RoleInterface so I have an array of Rbac\Role\RoleInterface

3. I get roles from my custom model and add roles to User entity via addRole() when authenticating the user

4. Rbac\Role\RoleInterface has hasPermission() method which returns role's permissions

Summary: After authentication I have my authenticated User identity information, roles and permissions for per role. Why I need another RoleProvider and list my all roles in it? What am i missing?

Wilt
  • 41,477
  • 12
  • 152
  • 203
Fuat Sayra ÖZDEN
  • 265
  • 2
  • 10

2 Answers2

1

As you can see in the php doc in the IdentityInterface The getRoles() method can return two things:

1. an array of strings

2. an array of Rbac\Role\RoleInterface

In case you return an array of strings you need an additional RoleProvider to "translate" the strings to actual instances of a Rbac\Role\RoleInterface. If you return an array of Rbac\Role\RoleInterface it seems to me that you do not longer need a RoleProvider.

Wilt
  • 41,477
  • 12
  • 152
  • 203
  • Thanks lot for your answer, I decided to keep my RoleProvider inside User entitiy. So I won't use a role_provider, but if you don't set any role_provider zfcrbac gives 'No role provider has been set for ZfcRbac' error. How can I handle this. – Fuat Sayra ÖZDEN Mar 10 '15 at 11:53
  • Not sure... Maybe you can still set a `ObjectRepositoryRoleProvider` that points to your doctrine `Role` entity like mentioned [here in the docs](https://github.com/ZF-Commons/zfc-rbac/blob/master/docs/03.%20Role%20providers.md#objectrepositoryroleprovider). In the end I think it won't be used if your indentity holds `RoleInterface`, but at least it is pointing to the correct source. – Wilt Mar 10 '15 at 11:58
  • I tried this 'role_provider' => [ 'ZfcRbac\Role\InMemoryRoleProvider' => [ '' => [], ] ], And worked :) – Fuat Sayra ÖZDEN Mar 10 '15 at 12:01
  • I think it is better to make sure that the `RoleProvider` you specify ends up returning the list of roles that you are actually using in your identities. It is more consistent... – Wilt Mar 10 '15 at 12:02
1

It seems to me that Role Providers are not for generating a user role list, but rather to the load and build an accessible listing of application roles with permissions to be used during and in the authorization service.

So I am extending the Zend\Authentication\AuthenticationService so I can implement the abstract method getRoles() of the ZfcRbac\Identity\IdentityInterface.

I still need to code for the accessing of user roles and storage of user roles to be authorized. There are not many examples of loading user roles using the AuthenticationService or IdentityInterface, and the loading of the role provider seems well documented. I am trying to decouple Authentication from Authorization. I Authenticate and then I load the user's role in my Authorization module because I may have cases where authentication is all that is necessary and the loading of a guest role is overhead.

maxshuty
  • 9,708
  • 13
  • 64
  • 77
Ron Estrada
  • 11
  • 1