-
Notifications
You must be signed in to change notification settings - Fork 1
4.2 Adding Authorization to the State Class
Go back to 4.1 Creating Action Authorization Provider
Although the operations we expose in our State object are public, let's add the authorization query nonetheless.
View lib/State.php
In lines 51-55 we make sure the user can query the state list:
<?php
$auth_query = new ActionAuthorizationQuery();
$auth_query->action = "query";
$auth_query->type = "state";
$this->security->authorize("action", $auth_query);Performing the query requires these simple steps:
- Create a new authorization query (line 52)
- Populate the query properties (lines 53-54)
- Call the appropriate authorization provider (line 55)
Notice that the authorization provider (unlike the authentication provider) has a name associated with it. The name can come from the providerAlias public property in the provider itself, can be added or overridden when the provider is added to the security context, or simply use the name of the class itself (without namespace).
The getState() method has very similar code but with a few differences. The first difference is the action (line 79). But secondly, we first read the record from the database (line 75) and pass the model to the query (line 81). This may seem a bit backward at first, but by reading the record first and querying second our provider will be able to use information in the record to make its decision. For State records this won't matter, but the User object will use the record information.
Continue to 4.3 Creating Authorization Providers for the Models