From my research, I have found that the Authority package (https://github.com/machuga/authority-l4) is best for implementing a role/permissions based user auth system while maintaining flexibility. I am having trouble understanding exactly how to use this package. The documentation covers it's functions and configuration, but does not explain a few things. Was hoping someone could point me in the right direction.
What is the purpose of the config file? To specify permissions? Are these not stored in the database?
I see you can group permissions together using Aliases. What if I do not want to use an alias. Is there a way to create just a permission by itself?
I see you can create rules for Resources, such as only allowing a user to edit posts which they are assigned to. The documentation does not appear to have much information on this.
Any help would be greatly appreciated. Searched the internet, but not finding much for this package.
I haven't used Authority, although I am looking at it for a project. Based on my reading of the docs, here's the way it works:
The config file is there to specify configuration for the package. The roles & permissions can be stored in the database (although they don't have to be).
The configuration file is there to tell the package how to work. So, for example, the config file allows you to set up aliases for one or more permissions - if you use aliases, this needs to be done up front, so that the package works the way you expect it to. As another example, the rules (more later) can (and should) be set up in the config.
Consider the following config (from the Authority docs):
return array(
'initialize' => function($authority) {
$user = $authority->getCurrentUser();
//action aliases
$authority->addAlias('manage', array('create', 'read', 'update', 'delete'));
$authority->addAlias('moderate', array('read', 'update', 'delete'));
//an example using the `hasRole` function, see below examples for more details
if($user->hasRole('admin')){
$authority->allow('manage', 'all');
}
}
);
What is this doing? Let's go through it step-by-step:
First, this is specifying something that's supposed to happen when the application is initialized. Presumably, there are other events that could occur, but I'm unsure why you'd want to change the rules after the app is initialized. When the app is initialized, the closure is called.
The closure does this:
gets the current user - later rules depend on who is logged in
set up a couple of aliases - 'cuz we're lazy and don't want to specify rules for create, read, etc. one-by-one. We can just use manage instead.
next it checks the current user. If they're an admin, they get manage permissions for all resources.
If your access control info is stored in the database, you could load it here and use that data to set up your rules.
Now, later on in the execution of your app, you need to check and see if the user can, for example, create a user record. Do this in your controller:
if( Authority::can('create', 'User') ) {
User::create(array(
'username' => 'someuser@test.com'
));
} else {
// what happens if the user's trying to do something they're not
// allowed to do?
throw new Exception("No way man!");
}
This checks the rules you set up in your config, and determines if the user is allowed to do this. If they're not, then (in my example) throw an exception. You probably want to handle it more gracefully.
Authority gives you the flexibility to define your permissions much more precisely. For example,
Authority::allow('manage', 'User', function($self, $user){
return $self->getCurrentUser()->id === $user->id;
});
This rule includes a check that allows a user to manage their own user record, but nobody else's. To do this, you need to adjust the example above.
if( Authority::can('update', 'User', $user) ) {
$user->username = 'someuser@test.com';
$user->save();
} else {
// what happens if the user's trying to do something they're not
// allowed to do?
throw new Exception("What do you think you're doing?!");
}
In this case, the Authority instance gets passed into the closure as $self then the current user ID is retrieved and checked against the user being edited ($user). If the user is trying to edit someone other than themselves, the check fails.
That's a very basic overview - hope it helps.