The right MVC event to tie into for authorization

Greg_Bell · June 12, 2018, 8:25am

For authorization, I originally followed the example from Oleg’s book.

He ties his authorization (page protection) method into EVENT_DISPATCH.

The problem I ran into with this is that the controller gets built, which requires forms to be built, which requires custom elements and validators to be built. This seems like a waste and possibly a security risk.

In slack, mwop pointed out that Apigility does authorization late in EVENT_ROUTE. Sure enough, the docs say:

Authorization happens post-route, but before dispatch of the requested service. This is what allows zf-mvc-auth to be able to determine if a particular identity has access to the requested resource without having to start the initialization dispatch of any particular controller in the application.

That makes a lot of sense and matches what I saw.

Problem is, I want to redirect to a particular route upon failure. As per Oleg’s example, I do this:

return $controller->redirect()->toRoute('login');

But, during EVENT_DISPATCH, the controllers aren’t up and running so this doesn’t work.

So, upon authorization failure, am I supposed to craft my own Response, or alter the $event somehow?

Greg_Bell · June 12, 2018, 9:57am

And… being my own best friend, here’s what I came up with that seems to be kosher:

    // authorization is required for this request so redirect to login page
    $headers = new Headers();
    $headers->addHeaderLine('Location', '/login');
    $response = new Response();
    $response->setStatusCode(302);
    $response->setHeaders($headers);
    $event->stopPropagation();
    $event->setResponse($response);
    return $response;

Brutal critiques welcome.

davidmintz · June 21, 2018, 6:57pm

What I am doing is in my Module.php onBootstrap() I attach a listener to EVENT_ROUTE, which listener does a two-step thing: check authentication followed by authorization and if either check fails, guess what:

    $response = $event->getResponse();
    $baseUrl = $event->getRequest()->getBaseurl();
    $response->getHeaders()
        ->addHeaderLine('Location', $baseUrl.'/login');
    $response->setStatusCode(303);
    $response->sendHeaders();
    return $response;

which looks quite similar to your own approach, doesn’t it. Which makes me feel warm and fuzzy and validated because you guys are a lot more advanced with this stuff than I am. So, sorry, no brutal critique here.

Actually I was unaware of $event->setResponse($response); I might have to steal that.

Topic		Replies	Views
How to authenticate for the whole module level application? Components & MVC zend-mvc	10	3660	July 22, 2021
Check access to controller method Components & MVC laminas-eventmanager , laminas-mvc	9	589	November 8, 2021
How to control permission using ACL for each controller Components & MVC	4	429	June 1, 2021
Zf3, apigility and oauth2 together don't works API Tools	8	960	September 7, 2019
How to add authentication adapter to controller? API Tools apigility	0	636	September 6, 2019

The right MVC event to tie into for authorization

Related topics