PolicyRuleManager suggestion

[altaraven]

Please take a look at PolicyRuleManager::getRule() method.
I suppose it will be very usefull in some cases to make 2 steps authorization. Especially when using frameworks:

1. We need to check if user can acces this action at all. If not, we just stop the code and dont try to get the object:

$abac->enforce('blabla', $user);

2. Only after that we want to perform query to database to find an object and check acces to the object:

$abac->enforce('blabla', $user, $object);

This can be very usefull when db query (or 3rd party service query) is heavy and takes much time.

But in current implementation it is not possible with a single rule. The library will always try to check $object even if it wasnt passed to enforce() method.

So, I suggest to add a check to the PolicyRuleManager::getRule() method like this:

            foreach ($this->processRuleAttributes($rule['attributes'], $user, $resource) as $pra) {
                if(!$resource && $pra->getAttribute()->getType() == 'resource') {
                    continue;
                }
                $Policy->addPolicyRuleAttribute($pra);
            }

Maybe there can be more pretty way to do this. So what do you think? Another option is to add a method to Abac class

$abac->enforceUserOnly('blabla', $user);// or somth like this

[Kern046]

Hello !

In fact, what you suggest was planned already in the library. As you can see, the $object variable can be null in the enforce function and I thought I already made possible to just check the user attributes in this case. But reviewing the code now I can see that this feature does not seem to be available for now.

To be more specific what I planned was to configure multiple resources for one rule. The library would check the class of the given resource, and know which attributes are to be checked to enforce the rule. If none is given, only the user attributes shall be checked.

The same design can be applied to the user attributes, with different user classes configured for one rule.

[altaraven]

The same design can be applied to the user attributes, with different user classes configured for one rule.

OK, but it's hard for me to imagine the use case for this:) Generally user is a currently logged in user, it can be only one at the same time...

[Kern046]

In some applications, the User class is not the same for two distincts users. In my case, I have for exemple a trade account, using a Merchant object for the user, and a member account, using Member object.

Let's imagine that I have a rule to buy something. For a Member, I must check that he has a payment method in his attributes, whereas I know that the Merchant has already it. In this case, the checks won't be the same depending on the User class.