Allow callable for requireAuthorizationCheck config option

dereuromark · dereuromark · commit 2cc91353dd92 · 2026-03-29T17:54:30.000+02:00
This allows applications to conditionally skip the authorization check
based on the request. This is useful when integrating plugins that have
their own admin panels and manage authorization independently (e.g.,
queue management dashboards).

The callable receives the ServerRequestInterface and should return a
boolean - true to require authorization check (default), false to skip.

Example use case:
```php
$middlewareQueue-&gt;add(new AuthorizationMiddleware($this, [
    'requireAuthorizationCheck' =&gt; function ($request) {
        $path = $request-&gt;getUri()-&gt;getPath();
        if (str_contains($path, '/admin/queue')) {
            return false;
        }
        return true;
    }
]));
```
diff --git a/docs/en/middleware.rst b/docs/en/middleware.rst
@@ -176,6 +176,26 @@ option::
         'requireAuthorizationCheck' => false
     ]));
 
+You can also use a Closure to conditionally skip the authorization check based
+on the request. This is useful when you need to bypass authorization for specific
+routes (e.g., plugin admin panels that manage their own authorization)::
+
+    $middlewareQueue->add(new AuthorizationMiddleware($this, [
+        'requireAuthorizationCheck' => function ($request) {
+            // Skip authorization check for specific routes
+            $path = $request->getUri()->getPath();
+            if (str_contains($path, '/admin/queue')) {
+                return false;
+            }
+
+            return true;
+        }
+    ]));
+
+The Closure receives the ``ServerRequestInterface`` and should return a boolean.
+Return ``true`` to require authorization check (default behavior), or ``false``
+to skip the check for that request.
+
 Handling Unauthorized Requests
 ------------------------------
 
diff --git a/src/Middleware/AuthorizationMiddleware.php b/src/Middleware/AuthorizationMiddleware.php
@@ -28,6 +28,7 @@
 use Authorization\IdentityInterface;
 use Authorization\Middleware\UnauthorizedHandler\UnauthorizedHandlerTrait;
 use Cake\Core\ContainerApplicationInterface;
+use Closure;
 use Cake\Core\ContainerInterface;
 use Cake\Core\InstanceConfigTrait;
 use Psr\Http\Message\ResponseInterface;
@@ -56,7 +57,8 @@ class AuthorizationMiddleware implements MiddlewareInterface
      * - `requireAuthorizationCheck` When true the middleware will raise an exception
      *   if no authorization checks were done. This aids in ensuring that all actions
      *   check authorization. It is intended as a development aid and not to be relied upon
-     *   in production. Defaults to `true`.
+     *   in production. Defaults to `true`. Can also be a Closure that receives the
+     *   ServerRequestInterface and returns a boolean, allowing route-based control.
      *
      * @var array<string, mixed>
      */
@@ -135,7 +137,11 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
         try {
             $response = $handler->handle($request);
 
-            if ($this->getConfig('requireAuthorizationCheck') && !$service->authorizationChecked()) {
+            $requireCheck = $this->getConfig('requireAuthorizationCheck');
+            if ($requireCheck instanceof Closure) {
+                $requireCheck = $requireCheck($request);
+            }
+            if ($requireCheck && !$service->authorizationChecked()) {
                 throw new AuthorizationRequiredException(['url' => $request->getRequestTarget()]);
             }
         } catch (Exception $exception) {
diff --git a/tests/TestCase/Middleware/AuthorizationMiddlewareTest.php b/tests/TestCase/Middleware/AuthorizationMiddlewareTest.php
@@ -316,4 +316,68 @@ public function testMiddlewareInjectsServiceIntoDICViaCustomContainerInstance()
 
         $this->assertEquals($service, $container->get(AuthorizationService::class));
     }
+
+    public function testRequireAuthorizationCheckCallableReturnsTrue(): void
+    {
+        $this->expectException(AuthorizationRequiredException::class);
+
+        $service = $this->createMock(AuthorizationServiceInterface::class);
+        $service->expects($this->once())
+            ->method('authorizationChecked')
+            ->willReturn(false);
+
+        $request = (new ServerRequest())->withAttribute('identity', ['id' => 1]);
+        $handler = new TestRequestHandler();
+
+        $middleware = new AuthorizationMiddleware($service, [
+            'requireAuthorizationCheck' => function (ServerRequestInterface $request): bool {
+                return true;
+            },
+            'identityDecorator' => IdentityDecorator::class,
+        ]);
+        $middleware->process($request, $handler);
+    }
+
+    public function testRequireAuthorizationCheckCallableReturnsFalse(): void
+    {
+        $service = $this->createMock(AuthorizationServiceInterface::class);
+        $service->expects($this->never())
+            ->method('authorizationChecked');
+
+        $request = (new ServerRequest())->withAttribute('identity', ['id' => 1]);
+        $handler = new TestRequestHandler();
+
+        $middleware = new AuthorizationMiddleware($service, [
+            'requireAuthorizationCheck' => function (ServerRequestInterface $request): bool {
+                return false;
+            },
+            'identityDecorator' => IdentityDecorator::class,
+        ]);
+        $result = $middleware->process($request, $handler);
+
+        $this->assertInstanceOf(ResponseInterface::class, $result);
+    }
+
+    public function testRequireAuthorizationCheckCallableWithRouteBasedLogic(): void
+    {
+        $service = $this->createMock(AuthorizationServiceInterface::class);
+        $service->expects($this->never())
+            ->method('authorizationChecked');
+
+        $request = ServerRequestFactory::fromGlobals(['REQUEST_URI' => '/admin/queue']);
+        $handler = new TestRequestHandler();
+
+        $middleware = new AuthorizationMiddleware($service, [
+            'requireAuthorizationCheck' => function (ServerRequestInterface $request): bool {
+                // Skip authorization check for admin/queue routes
+                $path = $request->getUri()->getPath();
+
+                return !str_contains($path, '/admin/queue');
+            },
+            'identityDecorator' => IdentityDecorator::class,
+        ]);
+        $result = $middleware->process($request, $handler);
+
+        $this->assertInstanceOf(ResponseInterface::class, $result);
+    }
 }
