Extend configuration to allow defining parents for resources

[eremem]

Feature Request

Q	A
New Feature	yes
RFC	no
BC Break	no

Summary

While porting an application based on Zend Framework 1 to Mezzio, I noticed that there seems to be no way to define a parent resource ID for the elements of ['mezzio-authorization-acl']['resources'].

It looks like a 'technical debt' in \Mezzio\Authorization\Acl\LaminasAclFactory::injectResources(), since \Laminas\Permissions\Acl\Acl::addResource($resource, $parent = null) allows passing a parent as its 2nd argument.

Comparing to the RBAC, it was IMHO a vital feature and an argument for using the ACL implementation in the first place. On the other hand, it makes the meaning of the 'deny' node in the configuration somewhat questionable - why denying access to any resource if you can just omit it in the 'allow' section?
Since there is effectively no way of configuring the grouping (or inheritance) of resources, we just get a plain list of allowed ones, which actually makes the whole ACL implementation logically similar (if not equal) to the RBAC... but with an overcomplicated configuration.

[weierophinney]

I'm really unsure what you're asking.

Please expand your description to include some code or pseudo-code demonstrating:

• syntax you want to use
• what the results of that syntax will be

This will allow somebody to start working on a possible solution.

Thanks!

[eremem]

Sorry about the confusion.

Please consider the following resource hierarchy:

• parent: user_administration
• children: user & group

Configuration:

'mezzio-authorization-acl' => [
       'roles' => [
              'admin' => [],
       ],
       'resources' => [
              'user_administration',
              ['user', 'user_administration'], // <- inheritance not supported at the moment
              ['group', 'user_administration'], // <- inheritance not supported at the moment
       ],
       'allow' =>[
              'admin' => [
                     'user_administration',
              ],
       ],
]

The problem seems to be the current implementation of
\Mezzio\Authorization\Acl\LaminasAclFactory::injectResources(Acl $acl, array $resources):

foreach ($resources as $resource) {
       try {
              $acl->addResource($resource);
       } catch (AclExceptionInterface $e) {
              throw new Exception\InvalidConfigException($e->getMessage(), $e->getCode(), $e);
       }
}

The following could be a possible solution:

foreach ($resources as $resource) {
       try {
              $parent = null;
              if(is_array($resource)) {
                     if(count($resource) === 2) {
                            list($resource, $parent) = $resource;
                     }
                     else {
                            throw new Exception\InvalidConfigException('Invalid resource definition.');
                     }
              }
              $acl->addResource($resource, $parent);
       } catch (AclExceptionInterface $e) {
              throw new Exception\InvalidConfigException($e->getMessage(), $e->getCode(), $e);
       }
 }

[eremem]

Are my description and the proposed code samples clear enough?
What are the chances for integration of this "lost" feature in the near future?