Checking Authorization

Once you have applied the Authorization Middleware to your application and added an identity to the request, you can start checking authorization. The middleware will wrap the identity in each request with an IdentityDecorator that adds authorization related methods.

You can pass the identity into your models, services or templates allowing you to check authorization anywhere in your application easily. See the Identity Decorator section for how to customize or replace the default decorator.

Checking Authorization for a Single Resource

The can method enables you to check authorization on a single resource. Typically this is an ORM entity, or application domain object. Your Policies provide logic to make the authorization decision:

// Get the identity from the request
$user = $this->request->getAttribute('identity');

// Check authorization on $article
if ($user->can('delete', $article)) {
    // Do delete operation

If your policies return Policy Result Objects be sure to check their status as canResult() returns the result instance:

// Assuming our policy returns a result.
$result = $user->canResult('delete', $article);
if ($result->getStatus()) {
    // Do deletion

Applying Scope Conditions

When you need to apply authorization checks to a collection of objects like a paginated query you will often want to only fetch records that the current user has access to. This plugin implements this concept as ‘scopes’. Scope policies allow you to ‘scope’ a query or result set and return the updated list or query object:

// Get the identity from the request
$user = $this->request->getAttribute('identity');

// Apply permission conditions to a query so only
// the records the current user has access to are returned.
$query = $user->applyScope('index', $query);

The AuthorizationComponent can be used in controller actions to streamline authorization checks that raise exceptions on failure.