I am currently trying to create my own authorization system with Symfony (version 2.3). And I am not sure if I am overcomplicating things, I am pretty new to Symfony and SOA. I am creating my own authorization system because I have the need to restrict rights according to current user, its role and a current customer (current user can change customer) and its products.
What I currently have and I think may be too complicated is the following:
Foreach entity I have a repository for read operations only:
MyBundle/Entities/
Customer.php/CustomerRepository.php
Product.php/ProductRepository.php
...
To abstract the usage of the repositories and also the handling the create/update/delete. I have a Manager class per entity which are using the repositories (proxying to the repositores and usage of combination of different repos).
MyBundle/Manager/
CustomerManager.php
ProductManager.php
...
Then I have my classes which are are getting the authorization according to current user, its role and a current selected customer and its products. They are using the Managers for loading all the acl data.
MyBundle/Authorization/
AuthCustomers.php //Allowed customers to which user is assigned
AuthRights.php //Rights according to user and customer
The services look like this:
auth.manager.product:
class: MyBundle\Manager\ProductManager
arguments: ["@doctrine.odm.mongodb.document_manager"]
auth.manager.customer:
class: MyBundle\Manager\CustomerManager
arguments: ["@doctrine.odm.mongodb.document_manager"]
auth.authorization.authorization_rights_factory:
class: MyBundle\Authorization\AuthorizationRightsFactory
arguments: ["@auth.manager.role", "@auth.manager.customer"]
auth.authorization.authorization_customers_factory:
class: MyBundle\Authorization\AuthorizationCustomersFactory
arguments: ["@auth.manager.group", "@auth.manager.customer"]
Until this point I actually think it is ok. But what I would need now and what concerns me is, when doing some action on any of these entities I would actually need to do a check with my AuthorizationXXX
services if I am allowed to do it. So the Authorization
class is dependant on the Manager
and the other way round.
To abstract this (to prevent infinite reference and I can reuse this in a controller and command script) I would now create another service where I inject the Authorization
and Manager
services and do these checks. So I would actually have another manager for my services.
In the end I would then have 7 entities, with 7 repositories and 7 Managers + a few authorization classes + 7 services to combine the managers and the authorization classes.
The question now is, is this the right way? I really feel like I am overcomplicating things. Any simpler suggestions are welcome :)