ZfcRbac Role Provider and Identity getRoles()

Question

I couldn't understand a concept when using ZfcRbac.

1. I use my own User entity with implementing ZfcRbac\Identity\IdentityInterface

2. This interface has addRole and getRoles methods and getRoles() should return array of Rbac\Role\RoleInterface so I have an array of Rbac\Role\RoleInterface

3. I get roles from my custom model and add roles to User entity via addRole() when authenticating the user

4. Rbac\Role\RoleInterface has hasPermission() method which returns role's permissions

Summary: After authentication I have my authenticated User identity information, roles and permissions for per role. Why I need another RoleProvider and list my all roles in it? What am i missing?

Answer 1

As you can see in the php doc in the IdentityInterface The getRoles() method can return two things:

1. an array of strings

2. an array of Rbac\Role\RoleInterface

In case you return an array of strings you need an additional RoleProvider to "translate" the strings to actual instances of a Rbac\Role\RoleInterface. If you return an array of Rbac\Role\RoleInterface it seems to me that you do not longer need a RoleProvider.

Answer 2

It seems to me that Role Providers are not for generating a user role list, but rather to the load and build an accessible listing of application roles with permissions to be used during and in the authorization service.

So I am extending the Zend\Authentication\AuthenticationService so I can implement the abstract method getRoles() of the ZfcRbac\Identity\IdentityInterface.

I still need to code for the accessing of user roles and storage of user roles to be authorized. There are not many examples of loading user roles using the AuthenticationService or IdentityInterface, and the loading of the role provider seems well documented. I am trying to decouple Authentication from Authorization. I Authenticate and then I load the user's role in my Authorization module because I may have cases where authentication is all that is necessary and the loading of a guest role is overhead.