Using the User Module – Using Zend Framework 3

17.15. Using the User Module

Congratulations, now our Role Demo is ready, so we make some resume of how you typically use it if you plan to base your own website on it.

First of all, you need to create all needed roles and permissions through the convenient user interface that we created. Assign a role (or several roles) to each website user.

Then edit the module.config.php configuration configuration file in your module and add two keys:

the rbac_manager key will contain settings for the RbacManager (particularly the configuration of assertion manager(s));

An example of that key is presented below:

// This key stores configuration for RBAC manager.
'rbac_manager' => [
    'assertions' => [Service\RbacAssertionManager::class],
],

the access_filter key stores the access rules for the pages of your website. It typically looks like below:

'access_filter' => [
    'options' => [
        'mode' => 'restrictive'
    ],
    'controllers' => [
        Controller\IndexController::class => [
            // Allow anyone to visit "index" and "about" actions
            ['actions' => ['index', 'about'], 'allow' => '*'],
            // Allow authorized users to visit "settings" action
            ['actions' => ['settings'], 'allow' => '@']
        ],
    ]
],

The * and @ in the allow subkeys are not the only options. You can make the allow subkeys to look as follows. We allow access to the page to:

anyone if we specify the asterisk (*);
any authenticated user if we specify the "commercial at" (@);
a concrete authenticated user with the given identity email address if we specify (@identity)
any authenticated user with the given permission if we specify the plus sign followed by the permission name (+permission).

If your website has some dynamic assertions, extend the assert() method of the existing RbacAssertionManager class (or write and register your own assertion manager):

public function assert(Rbac $rbac, $permission, $params)
{
    $currentUser = $this->entityManager->getRepository(User::class)
            ->findOneByEmail($this->authService->getIdentity());
    
    if ($permission=='post.own.edit' && $params['post']->getUser()->getId()==$currentUser->getId())
        return true;
        
    if ($permission=='post.own.publish' && $params['post']->getUser()->getId()==$currentUser->getId())
        return true;        
    
    return false;
}

If you want to check permissions in a controller action, you can use the Access controller plugin as follows:

if (!$this->access('profile.own.view', ['user'=>$user])) {
    return $this->redirect()->toRoute('not-authorized');
}

If you want to check permissions in a view template, you can use the Access view helper:

if ($this->access('profile.own.view', ['user'=>$user))) {
   // do something...
}

That's all! That simple! Enjoy!