Implementation of a RESTful API with access control mechanism using Apigility

Question

I want to create a RESTful API using the Zend Framework 2. Even though I'm pretty unexperienced with ZF2 I've choosen this framework because of it's loose coupeling and the fact that the code is audited on a regular basis. I found the tool Apigility provided by Zend and it seems pretty straight forward to implement things. But there's one thing which is not covered directly and I'm not even sure if Apigility makes sense for me:

I need a user role concept where some users are only able to view and modify ressources they created by themselves while other users are able to view and modify all ressources. There are also endpoints(controllers) which shall only available for certain users.

Permission management to certain endpoints could be realized with the ACL module but I don't know how to achieve the filtering of the ressources.

Answer 1

You're going to need to take a couple strategies to get all of this done.

Your endpoint access control can be handled by extending the default authorization listener (or adding additional listeners) provided by zf-mvc-auth. That should allow you to control if an endpoint can be seen at all.

As far as access control on your resources (filtering), you're probably going to need to inject an Authorization container of some nature into your resource services to handle your authorization logic there. Take a peek at the zfc-rbac cookbook for what that might look like (https://github.com/ZF-Commons/zfc-rbac/blob/master/docs/07.%20Cookbook.md#a-real-world-application-part-4---checking-permissions-in-the-view)