Authorization

[thekid]

Based on top of a yet-to-be-created authentication layer, the REST APIs should support authorization: limiting certain methods to authenticated users and their roles

Basic idea

use web\Response;

#[@require(['admin'])]
class Administration {

  /** Deletes a URL by a given ID */
  #[@delete('/{id}')]
  public function delete(string $id): Response {
    // ...
  }
}

The require annotation makes the surrounding layer perform checks on the authenticated user. By annotating the containing class all its methods will be affected.

• @require(['admin']) - requires the user to be in the admin role
• @require(['admin', 'user']) - requires the user to be in the admin or user role
• @require(function($user) { ... }) - runs a user-defined function on the user. Allows access if function returns true.

[thekid]

See xp-forge/web#43 and xp-forge/web#44