Based on top of a yet-to-be-created authentication layer, the REST APIs should support authorization: limiting certain methods to authenticated users and their roles
Basic idea
use web\Response;
#[@require(['admin'])]
class Administration {
/** Deletes a URL by a given ID */
#[@delete('/{id}')]
public function delete(string $id): Response {
// ...
}
}The require annotation makes the surrounding layer perform checks on the authenticated user. By annotating the containing class all its methods will be affected.
@require(['admin']) - requires the user to be in the admin role@require(['admin', 'user']) - requires the user to be in the admin or user role@require(function($user) { ... }) - runs a user-defined function on the user. Allows access if function returns true.
Based on top of a yet-to-be-created authentication layer, the REST APIs should support authorization: limiting certain methods to authenticated users and their roles
Basic idea
The
requireannotation makes the surrounding layer perform checks on the authenticated user. By annotating the containing class all its methods will be affected.@require(['admin'])- requires the user to be in the admin role@require(['admin', 'user'])- requires the user to be in the admin or user role@require(function($user) { ... })- runs a user-defined function on the user. Allows access if function returns true.