Security filter granularity about restfullyii HOT 3 CLOSED

Of course you can fairly easily do this by just grabbing the events associated with your route(s) and doing whatever authorization check you would like to do. You can also use the post.filter.req.auth.user & post.filter.req.auth.ajax.user and again checking the route and applying your custom logic.

That said I could imagine a system where by an auth event is thrown for a given route when that route is requested. Something like:

$this->emitRest('filter.req.route', ['route'=>$route]);

Again you could simply do this yourself by emitting this event in your post.filter(s) and then catching it and applying your custom logic.

Do you have a better solution in mind or can you provide some pseudo code, so I can see how you image it working because I think you might be on to something.

from restfullyii.

I was thinking something along the lines of your event example or through configuration

For example, using CAccessControlFilter as an example:

array(
'allow',
'verb' => array('GET')
'route' => array('/user/', '/user/< id >', '/user/custom'),
//not sure how to differentiate between /user/ and /user/< id>, maybe we can use the actionTypes you have defined, //i.e. resources vs resource and only allow strings for 'custom' routes.

then any combination of the following...

'user' => ...
'ip' => ...
'expression' => ...
'roles' => ...

Then I'm trying to figure out a way to incorporate HMAC verification into the auth control. Right now I do a check for REST.GET in req.auth.user, If it is a REST.GET then calculate HMAC, if not, I need to wait until req.data.read then perform it including the POST body.

from restfullyii.

Checkout the docs there is now an new event "req.auth.uri" and it gets two params $uri & $verb. You can hook this event and apply whatever route based auth you would like. Return "true" to allow and false to deny.

from restfullyii.