SyliusResourceBundle icon indicating copy to clipboard operation
SyliusResourceBundle copied to clipboard
verified publisher icon Sylius

AuthorizationCheckerInterface should be able to receive a subject

Open mbabker opened this issue 3 years ago • 1 comments

Describe the proposed solution At present, Sylius\Bundle\ResourceBundle\Controller\AuthorizationCheckerInterface::isGranted() only works with two bits of data:

  • A Sylius\Bundle\ResourceBundle\Controller\RequestConfiguration instance holding information about the current request (derived from the request and the resource configuration)
  • The permission being checked

This means the authorization checker cannot be used when making access decisions based on an object (typically a resource loaded from the database).

We have a bit of a unique setup for one of our clients where they have an intranet type setup and a single user entity for the full application (so no separate firewalls or authentication between frontend and admin, it's all one app with a lot more than just a Sylius install), and only part of the admin section is available to certain users (and even with that access, they can only see selected records). Using the sylius.order.show permission as an example, with the current interface and code flow this requires us to first make a generic "can access shop admin" check in our custom implementation of the authorization checker interface then listen on the sylius.order.show event to make the rest of our ACL checks using the resource once it has been loaded.

An optional $subject argument should be added to Sylius\Bundle\ResourceBundle\Controller\AuthorizationCheckerInterface::isGranted() (similar to the $subject argument of Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface::isGranted()) and the resource controller updated to support making ACL checks with a subject as appropriate (i.e. in the showAction(), the resource should be loaded first then the ACL checked).

I realize I might be stepping on toes with the Sylius Plus product and its "Advanced user permissions" feature, but IMO, the authorization checker as it is now is pretty limiting and requires some "interesting" workarounds to make the system useful.

mbabker avatar Feb 09 '22 19:02 mbabker

It was already reported :slightly_frowning_face: https://github.com/ztellman/aleph/issues/327

gsnewmark avatar Mar 14 '18 09:03 gsnewmark

Ahh you're right, I'll close this since it is a duplicate then, thanks

dakrone avatar Mar 14 '18 14:03 dakrone