blob: 24acee1769472392d179a40f6a29f2b09d1712e7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
Authorization Architecture
==========================
Kanboard [supports multiple roles](roles.markdown) at the application level and at the project level.
Authorization Workflow
----------------------
For each HTTP request:
1. Authorize or not access to the resource based on the application access list
2. If the resource is for a project (board, task...):
1. Fetch user role for this project
2. Grant/Denied access based on the project access map
Extending Access Map
--------------------
The Access List (ACL) is based on the controller class name and the method name.
The list of access is handled by the class `Kanboard\Core\Security\AccessMap`.
There are two access map: one for the application and another one for projects.
- Application access map: `$this->applicationAccessMap`
- Project access map: `$this->projectAccessMap`
Examples to define a new policy from your plugin:
```php
// All methods of the class MyController:
$this->projectAccessMap->add('MyController', '*', Role::PROJECT_MANAGER);
// All some methods:
$this->projectAccessMap->add('MyOtherController', array('create', 'save'), Role::PROJECT_MEMBER);
```
Roles are defined in the class `Kanboard\Core\Security\Role`.
The Authorization class (`Kanboard\Core\Security\Authorization`) will check the access for each page.
|