In the api docs (http://fuelphp.com/docs/general/controllers/rest.html#/config), it says that you can "also define a name of controller method which must be called to check authorization" in the "auth" setting. For the life of me, I can't figure out how to do that. Does anyone know the syntax to do this? This is probably a simple answer for a lot of people, but I can't figure it out.
I have tried: /Controller_Api::login Controller_Api::login /Api/login /Controller_Api/login among others.
And once you've upgraded, note that the docs talk about the "method", so none of your trails are correct, since they include class names, and some seem to be a URI.
Setting the 'auth' property to 'something' will make your controller call $this->something(). So it is a method in your CURRENT rest controller. If you want to have a generic method for all your rest controllers, use a base controller and define the method in there...
I'm a newbie with php and fuel, some weeks of coding now. I have some history with Java serverside frameworks. I've tried to find examples on how the general authorization requirements could be implemented in various levels. The article denoted above is the only one I've found.
What I'm after in different aspects of the authorization, is a way to really restrict the use of db tables, operations and columns at least by accident (web is full of more or less stupid examples how you first get a ORM object, and then you can compare something of it against Auth library. What if you don't?) Are there best practices code and documentation available in order to obtain real resource based authorization? What I'd like to see, is for example a factory desing pattern with protected constructors, and maybe reflection api and class loader filtering the things out of model and service layer that the user is not granted to. Here's a link to the article on the typical requirements: http://www.summa-tech.com/blog/2010/10/01/beyond-role-based-access-control
You'll have to make one from scratch, I have never come across a system (in PHP) this detailed.
I think a lot of people steer clear if this, since it is disastrous for performance (PHP is an interpreted language, filtering all data on a per-field basis is very intensive), and virtually all apps don't need this level of detailed field filtering.
If you want to go this route, best thing to do is to create a base model class which extends \Orm\Model, and overload the setter and getter methods so you can implement your filter. It is probably the least invasive. You have to come up with something clever to construct and cache the users effective rights, as you don't want to compile that every page request.
Theoretically you could use Auth for it. Auth contains an extended RBAC based authorisation system, in which you can assign an arbitrary permission (in Simpleauth 2 layers, in Ormauth 3 layers) to a user, a group or a role. In Ormauth groups and roles can be nested.
If using Ormauth, you could create a permission area called "filters", and use permission and actions to define the model name and the column names. So a user having the permission "filters.articles[id,name,price]" could see/access the columns "id", "name" and "price" of the Model_Articles, but no others. This can be easily implemented since you have both the model name and the requested column name when you overload the getter/setter.
I can see you have some history with Java. People with that kind of background are used to compiled code, persistent server state, huge and powerful machines to run it on, and a fortune to spend on them.
In the PHP world building applications "Java style" is hardly accepted, you'll find that only the (large) companies used to Java have no problem with it. This is also where you find frameworks like Zend and Symfony. Both complex, time-consuming to learn and use, memory hungry and slow.
Thank you for your comprehensive and mature answer. I'm definitely taking a good look on the Symphony, Laravel and so. I agree with you the style and architecture can really resolve whether to get or spend a fortune.
I could write a horror book about working with proprietary systems and custom projects not having or using these things. Heavy training, stressed programmers, suspicious and lost customers, blaming partners, overnight quick hacks, recurring security leaks, delayed projects, loosed profit, fire alarms and fighting - and all this because of not having a proper architecture. ( Second book will tell about not having specs, docs and process..).
Since things like Auth exists, everyone understands the need, and putting the things to architecturally correct places is saving time and efforts, as well as server resources. Having some things cached in memory is obvious, we still need our brains despite of nice tools. Programming (especially OO) skill is not about knowing a language - just like knowing a human language is not a guarantee of a written content.
I'm an old bastard reaping off all pleasures of the work environment I can get, and in my opinion to have things like authorization on service and data level is like...