Laminas ACL with multiples roles non hierarchical

Hello everyone.
I would like to submit my problem.
In my laminas MVC application I would like to set up ACL on navigation.
Here is the fact :
A user can have multiple roles stores in table with the user ID. My roles are not hierarchical. User can have temporary role which expires on a certain date. I have a cron job with laminas-cli which disables expires temporary roles.
So if a user have a temp role, he can view the related links in navigation. If role expires, the related link must not be visible anymore.
I saw the LmcRbacMvc plugin and it is very useful I think, and I would to use it to solve my problem.

Any idea or suggestion will be really appreciated.
Thank you !

Does this mean that the role is not added / registered any more?

The current role of the user must be set for the navigation helper and the helpers will check the permission.

This will not work because Rbac is not ACL.

Does this mean that the role is not added / registered any more?

→ The role is always added but if the user have expired temp roles, related links or this roles are not visaible. That is what I want.

The current role of the user must be set for the navigation helper and the helpers will check the permission.#

→ Understood

This will not work because Rbac is not ACL.#

Ok.

I need to say that I do not have my role in the function user->getIdentity() because my user can have multiple roles store in a table

If the role has expired, then do not register it in the role registry. Otherwise, the role is present and the permission checks can passed.

If you want to use the standard navigation helpers, then you can only pass one role.

For the standard navigation helpers by passing one role, can I redefine hasRole($role) function with adding check if $role has not expired ?

This means you must extend Laminas\Permissions\Acl\Acl and Laminas\Permissions\Acl\Role\Registry. But not registering is much easier:

// pseudo code
foreach ($roles as $role) {
    if (! $role->isExpired()) {
        $acl->addRole($role);
    }
}
1 Like

Thank you @froschdesign . I will come back to you very soon.

@froschdesign,

I would like to know : because my user have many roles, can I call navigation like this :

<?php 
           $this->navigation('default')->menu()->setAcl('myacl') - >setRole('role1')->setRole('role2')->setRole('roleN') setPartial('partial/top-nav.phtml');
        ?>

?

This will overwrite the previous value for the role property because only one role is used for the permission check.


But I see a problem with your concept in general, because with your temporary roles you have to manage the resources also for these temporary roles. In this case, it is probably easier to create a hierarchy for the roles, and then only one role needs to be checked at a time.
Otherwise, you would have to modify the navigation container yourself before it is processed with the view helpers.

OK I see. You clearly understood my problem.
Lemme try something and get back to you.
Thank you very much

Hi @ebuddy,

As far as the expiry of a role is concerned you can use Javascript of your choice to handle it. Because PHP can’t handle such a situation. As far associating multiple roles to the navigation helpers it is not possible in my opinion and even in documentation, I couldn’t find it. I hope your problem might get solved via javascript by sending an ajax after a particular time has passed. Thanks!

Thanks for your answer. But I’m not sure Js will be great for that. I’m exploring a situation and I’m very close to solve it.
This will be posted once I finish.

Of course you can use PHP here. I have already made a proposal on this:

This can be done via a listener that listens on an MVC event, and then the navigation helpers do not need a role or ACL to check permissions.
But I wouldn’t go that way, because it’s too much work and only because the access control lists are used differently than intended:

Problem solved with your proposition. I have created virtual roles with the real ones and with a good class extending Acl.
Thank you very much @froschdesign

Hi @froschdesign,
I’m not able to understand how can you solve time-based role management with the help of PHP/Laminas view helpers. Because once you’ve got a response from the server you’ve no control over it. Maybe I’m thinking in a very extreme scenario which is not valid here.

I’ll go through your answers thoroughly and will try to see the problem as ebuddy mentioned. Your solutions are indeed worth praising. It is the view alignment problem. Maybe I’m not aligned with your views and with the problem ebuddy mentioned. But thanks for letting me know.

I’ll also try to develop a case based on this scenario, it will be good for learning. Maybe someday I’ll get a problem like this one. Thanks for your feedback. Appreciated it as always. Thanks!

Right, something like Swoole is not an issue here.