Simple User Policy

Need Help
1

Hey Everyone,

I just finished the tutorial and now try to implement a Policy that logged in Users can only edit their own Profile not the one of others.
I tried to copy the Policy from Articles and changed it accordingly but don‘t know how to check if the logged in User is the one he wants to change in the last line.

Thank you

<?php
declare(strict_types=1);

namespace App\Policy;

use App\Model\Entity\User;
use Authorization\IdentityInterface;

class UserPolicy
{

    public function canAdd(IdentityInterface $user, User $resource)
    {
        return false;
    }


    public function canEdit(IdentityInterface $user, User $resource)
    {
        return $this->isSelf($user);
    }


    public function canDelete(IdentityInterface $user, User $resource)
    {
        return $this->isSelf($user);
    }


    public function canView(IdentityInterface $user, User $resource)
    {
        return $this->isSelf($user);
    }

    protected function isSelf(IdentityInterface $user)
    {
        return $user->getIdentifier()  === USER I WANT TO EDIT OR DELETE;
    }
}
2

you need to pass down the $resource as well.

$user is the currently logged in user and $resource is the entity/user he wants to perform an action on.

3

Hey Kevin,

Thank you for your super fast reply.
It really works now. Im so so happy.

Just one little question left.
Is it good code to leave the variable named $resource or should i change it to a more
logical name but i don’t really know what that could be as $user is already taken.

In the tutorial that was more logical with $article

Thank you so much.

<?php
declare(strict_types=1);

namespace App\Policy;

use App\Model\Entity\User;
use Authorization\IdentityInterface;

class UserPolicy
{

    public function canAdd(IdentityInterface $user, User $resource)
    {
        return false;
    }


    public function canEdit(IdentityInterface $user, User $resource)
    {
        return $this->isSelf($user, $resource);
    }


    public function canDelete(IdentityInterface $user, User $resource)
    {
        return $this->isSelf($user, $resource);
    }


    public function canView(IdentityInterface $user, User $resource)
    {
        return $this->isSelf($user, $resource);
    }

    protected function isSelf(IdentityInterface $user, User $resource)
    {
        return $user->getIdentifier()  === $resource->id;
    }
}```
4

It’s good code when you’ll be able to look at it later and understand what it does. For me (and I expect many people), having the User type on the variable is enough to very clearly signal that $resource is a user record. And there is something to be said for consistency across your policies, so that you’ll be able to read this and say “oh yeah, the resource is always the thing it’s looking for access to”. But different people have different preferences. The only truly wrong thing here would be to call it $user, because that’s already taken. :slight_smile:

1 Like
5

maybe $loggedInUser and $entity? :grin:

1 Like
6

Yea exactly this thoughts i had and was struggling about exactly that, how i can
compare $user with $user :face_with_peeking_eye:

Its long time ago i was programming Perl and its absolutely overwhelming.
Slowly i understand a few bits how everything comes together and maybe i should start to write a
“how non-programmers try to use CakePHP without any knowledge to built an application” :sweat_smile:

Thank you so much guys for your help. I never saw so fast responses to questions somewhere else. I really appreciate it. :star_struck:

7

By the way - this is PHP, not Perl :stuck_out_tongue_winking_eye:

8

Just saw it - damn :laughing: