- Member | 5
I'd like my ACL to handle ownership as well. Instead of calling
I'd like to be able to call
$user->isAllowed($resource, $privilege, $userId, $resourceId)
and check whether this user owns the reource in question.
Authorizator.php in my
folder accordingly and it works just fine. What bugs me is that I also had to
/nette/security/src/Security/User.php, which is
baaad! I do NOT want to edit core parts of framework (for too
many obviuos reasons).
What would be the best solution for me?
Last edited by BugsBunny (2015-02-16 07:14)
Both $userId and $resourceId seem redundant. If you really need
User in your authorizator, you can fetch it from container (but
I wouldn't recommend it, see previous answers). If you need $resourceId, make
you resources implement
- Member | 2296
way. I use ORM, so i have true entities. In
you must create some your own resources.
To check rights you can't use
this method ged only users roles, not instance od User.
Inject ACL to your presenter (or any class where you need check) and use:
<?php $this->acl->isAllowed($userEntity, $resource, $privilege); // User entity is instance implements IRole and Resource is instance implements IRole. ?>
P.S. This is used in project, where user has only one role!
Last edited by Šaman (2015-02-16 13:14)
This seems pretty cool to me. I'll give it a shot!4 years ago
Implemented. I basically had the solution in front of me the whole time (my own /app/model/Authorizator.php implemeting Nette\Security\IAuthorizator), I was just stuck with using it through $this->user->isAllowed(…) instead of straight $this->acl->isAllowed(…). Thanks everyone!4 years ago
- Filip Klimeš
- Member | 157
Nette\Security\User represents a single signed in user. You shouldn't check other users privileges via this class as it violates SRP. You could create your own service for checking privileges and inject it where you need it.
I am not trying to check other users privileges, I am trying to check whether the resource in question belongs to the single signed in user. No other users privileges involved.4 years ago
Example: Forum where user is allowed to edit only his/her own posts. I guess $user->isAllowed($resource, $privilege, $resourceId); would be enough ($userId is redundant).4 years ago
Oh, I'm sorry, I got mislead by the $userId – which really is redundant.4 years ago