Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PolicyRuleManager suggestion #45

Open
altaraven opened this issue Dec 28, 2016 · 3 comments
Open

PolicyRuleManager suggestion #45

altaraven opened this issue Dec 28, 2016 · 3 comments

Comments

@altaraven
Copy link

altaraven commented Dec 28, 2016
edited
Loading

Please take a look at PolicyRuleManager::getRule() method.
I suppose it will be very usefull in some cases to make 2 steps authorization. Especially when using frameworks:

  1. We need to check if user can acces this action at all. If not, we just stop the code and dont try to get the object:
$abac->enforce('blabla', $user);
  1. Only after that we want to perform query to database to find an object and check acces to the object:
$abac->enforce('blabla', $user, $object);

This can be very usefull when db query (or 3rd party service query) is heavy and takes much time.

But in current implementation it is not possible with a single rule. The library will always try to check $object even if it wasnt passed to enforce() method.

So, I suggest to add a check to the PolicyRuleManager::getRule() method like this:

            foreach ($this->processRuleAttributes($rule['attributes'], $user, $resource) as $pra) {
                if(!$resource && $pra->getAttribute()->getType() == 'resource') {
                    continue;
                }
                $Policy->addPolicyRuleAttribute($pra);
            }

Maybe there can be more pretty way to do this. So what do you think? Another option is to add a method to Abac class

$abac->enforceUserOnly('blabla', $user);// or somth like this
@Kern046
Copy link
Collaborator

Kern046 commented Jan 2, 2017

Hello !

In fact, what you suggest was planned already in the library. As you can see, the $object variable can be null in the enforce function and I thought I already made possible to just check the user attributes in this case. But reviewing the code now I can see that this feature does not seem to be available for now.

To be more specific what I planned was to configure multiple resources for one rule. The library would check the class of the given resource, and know which attributes are to be checked to enforce the rule. If none is given, only the user attributes shall be checked.

The same design can be applied to the user attributes, with different user classes configured for one rule.

@altaraven
Copy link
Author

The same design can be applied to the user attributes, with different user classes configured for one rule.

OK, but it's hard for me to imagine the use case for this:) Generally user is a currently logged in user, it can be only one at the same time...

@Kern046
Copy link
Collaborator

Kern046 commented Jan 3, 2017

In some applications, the User class is not the same for two distincts users. In my case, I have for exemple a trade account, using a Merchant object for the user, and a member account, using Member object.

Let's imagine that I have a rule to buy something. For a Member, I must check that he has a payment method in his attributes, whereas I know that the Merchant has already it. In this case, the checks won't be the same depending on the User class.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@altaraven @Kern046