Zend Framework 2 - BjyAuthorize always denies access

Asked 11/3, 2013 at 16:28 Answered 3/5, 2015 at 9:36

I have setup the bjyoungblood/bjy-authorize module, but I am currently getting a 403 "access denied" error for each URL except for the one configured in the home route.

My module.byjauthorize.global.php looks like following:

'bjyauthorize' => array(
    'guards' => array(
        'BjyAuthorize\Guard\Controller' => array(
            array('controller' => 'index', 'action' => 'index', 'roles' => array('guest','user')),
            array('controller' => 'index', 'action' => 'stuff', 'roles' => array('user')),
            array('controller' => 'zfcuser', 'roles' => array()),
            //backend
            array('controller' => 'Application\Controller\Index', 'roles' => array('admin')),
            array('controller' => 'MyModule\MyEntity\MyEntity', 'roles' => array('admin')),

        ),

        'BjyAuthorize\Guard\Route' => array(
            array('route' => 'zfcuser', 'roles' => array('user')),
            array('route' => 'zfcuser/logout', 'roles' => array('user')),
            array('route' => 'zfcuser/login', 'roles' => array('guest')),
            array('route' => 'zfcuser/register', 'roles' => array('guest')),                
            array('route' => 'home', 'roles' => array('admin')),
            array('route' => 'my-entity', 'roles' => array('admin')),
        ),
    ),
),

I tried deleting the BjyAuthorize\Guard\Route part, but with no effect. When I remove the home route then the homepage is also blocked. So both Controller- and Route-Guard seem to work. How can I debug this behavior?

Fabe answered 11/3, 2013 at 16:28 Comment(3)

Is the default role guest set? – Heteropterous 11/3, 2013 at 16:45

yes. in the config and in the database (manually) – Fabe 11/3, 2013 at 16:46

Hmm, the error in such can be pretty deep. This is a working config on my end, but im not guarding routes or controllers: github.com/manuakasam/DuitMarketplace/blob/master/config/… the controllers index and Application\Controller\Index are definitely different ones? – Heteropterous 11/3, 2013 at 17:4

NOTE: following is valid for BjyAuthorize 1.2.*

First of all, consider that protecting both the routes and the controllers is unnecessary. I personally always protect the controllers only, since there may be multiple routes to a same controller.

Once you removed either the route or the controller guard's config, you can:

Install Zend Developer Tools, which allows you to have an overview of the currently set Acl role, like in this picture:
Check if you have configured the correct identity provider: the default one uses ZfcUser's user id and looks up his role in the user_role table.
Check that the guest role has access to the public pages, such as the zfcuser controller (for login actions) or the zfcuser/login route.

As Akrabat pointed out, the configuration for the BjyAuthorize\Guard\Controller and BjyAuthorize\Guard\Route are whitelists, which basically means that you have to setup access for the default guest role if you want to browse pages being un-authenticated.

As soon as a guard is configured, it blocks access to any not configured resource, so be sure that you have granted the role guest (or whatever you configured in $config['bjyauthorize']['default_role'] access at least the login controller or route.

Leolaleoline answered 12/3, 2013 at 9:30 Comment(4)

thanks you two! I made a mistake with the path to the controllers... so dumb! afaik until now it all seems to work! – Fabe 12/3, 2013 at 9:33

@Fabe even though your mistake is a typo, I've edited the question so that it is not too localized (otherwise it will be closed). I hope this is useful to others too :) – Leolaleoline 12/3, 2013 at 9:39

@Leolaleoline is there a way to make my api module bypass the authorization provided by bjyauthorize since my api module has it own authorization process? – Scorcher 18/5, 2015 at 22:32

Be careful of other modules over-writing the config. In my case there was zfcadmin setting the bjyauthorise config and this caused issues with ROUTE Guard vs CONTROLLER guard. i.e. check all your config files for BJY integration and automatic configs – Meathead 12/4, 2016 at 2:14

As soon as you create one entry in the 'BjyAuthorize\Guard\Controller' array, then you need to create entries for every controller with permissions as appropriate.

I have this:

'BjyAuthorize\Guard\Controller' => array(
    // Access for everyone
    array('controller' => 'zfcuser', 'roles' => array('guest')),
    array('controller' => 'Application\Controller\Index', 'action' => 'index', 'roles' => array('guest')),
    array('controller' => 'error', 'roles' => array('guest')),

    // Restricted
    array('controller' => 'User\Controller\AdminUser', 'roles' => array('admin')),

),

It's important that you give guest access to zfuser (for logging in!) and error (hard to debug stuff otherwise).

I've not tried using controller and route guards simultaneously.

Tabatha answered 12/3, 2013 at 8:41 Comment(0)

I had the exact same issue.

I think the problem is that BjyAuthorize is not well documented so many of us are simply copying and pasting and working out from the files provided. For instance from the following:

'BjyAuthorize\Guard\Controller' => array(
            array('controller' => 'zfcuser', 'roles' => array()),
        ),

You would expect to add your controllers as such:

array('controller' => 'controllername', 'role' => array()),

However you need to add the full path otherwise it will not work:

array('controller' => 'Folder/Controller/Action', 'role' => array()),

I hope this saves someone a few hours work as I was totally befuddled by this!

Belden answered 24/4, 2014 at 19:15 Comment(0)

debug your code by this in module.php

public function onBootstrap($e)
    {   echo "<pre>";
        var_dump($e->getTarget()->getServiceManager()->get('BjyAuthorize\Provider\Identity\ProviderInterface'));
    }

Doorway answered 3/5, 2015 at 9:36 Comment(0)

Recommended topics

Hot tags