F3 Access plugin

[v.]

Hello,

I am trying to get the F3 Access plugin to work in order to restrict access to the admin pages to the admin user only.

It is not entirely clear on which parameter the access is restricted. I assume it is the 'SESSION.user' variable, is this correct?

I have followed the instructions on https://github.com/xfra35/f3-access#installation but they are not getting me anywhere. I think there is a crucial piece of information I am not getting.
I have put the below code in the index file just before the run command

I also tried to put it in my Controller that extends all other controllers with the exact same result.

The code I am using:

$access=Access::instance();
$access->policy('allow');
$access->deny('/admin**');
$access->allow('/admin*','admin'); // where 'admin' is the SESSION.user ???
$access->authorize();

When not inserting the authorize line nothing happens.
When I do insert it everybody gets a 404.
When I change it to


$access->authorize('admin');


everybody can access the admin pages

Clearly I am not getting how this works. Could someone, preferably the author xfra35, be so kind to help?

[ved]

F3-Access doesn't deal with authentication, only authorization. So you can use whatever you wish in order to control access. It is very very flexible and a great plugin.

In your case, it's not clear what exactly SESSION.user is. Is that just a username? An array with the user's details? If it's an array with the user's details, then you could probably use something like SESSION.user.group

Personally, I generally use some kind of group type roles like "admin", "user", "publisher", etc. and then use that to control access.

Once you have defined which parameter you'll use to control access, it's just a matter of setting the appropriate allow and deny rules and use that to control access.

$access->allow('/admin', 'admin');
// (...more rules)
$access->authorize($f3->get('SESSION.user.group'));

You can also use a username or email in order to get more granular control if you wish. (although I wouldn't recommend this most of the times)

$access->allow('/admin', 'admini...@example.com');
// (...more rules)
$access->authorize($f3->get('SESSION.user.email'));

Finally, the plugin is flexible enough that you could also use a combination of both. Grant access on some areas according to the user's group role and on some other areas grant access to a specific username or email.

Just make sure that rules are defined for all cases and that you use the correct parameter when calling authorize().

The plugin's documentation on github is pretty complete and has everything I've said here but I'm sure @xfra35 will probably help you out some more when he sees this if you're still having issues.

Hope it helps. Cheers.

[xfra35]

Sure: you need to authorize somebody (aka a "subject", if to use the term usually related with computer access control).

The "subject" requiring authorization could either be a single person or a group of persons. It is up to your architecture.

Given your example, I assume you're dealing with a single user named "admin". It could as well be a group of users, or a role, the plugin wouldn't care, "subjects" are just "strings" for it.

So how the plugin would know which subject to authorize? You need to pass the subject string to the authorize() method. And since in your example, the subject seems to be stored in SESSION.user, the following should fix your issue:

$access->authorize($f3->get('SESSION.user'));

[v.]

Thanks to both of you.
I understand better now and the small modification by the author of this excellent plugin made all the difference.
Thank you very much for the help.