Zend Framework 2 - BjyAuthorize always denies access

Question

I have setup the bjyoungblood/bjy-authorize module, but I am currently getting a 403 "access denied" error for each URL except for the one configured in the home route.

My module.byjauthorize.global.php looks like following:

'bjyauthorize' => array(
    'guards' => array(
        'BjyAuthorize\Guard\Controller' => array(
            array('controller' => 'index', 'action' => 'index', 'roles' => array('guest','user')),
            array('controller' => 'index', 'action' => 'stuff', 'roles' => array('user')),
            array('controller' => 'zfcuser', 'roles' => array()),
            //backend
            array('controller' => 'Application\Controller\Index', 'roles' => array('admin')),
            array('controller' => 'MyModule\MyEntity\MyEntity', 'roles' => array('admin')),

        ),

        'BjyAuthorize\Guard\Route' => array(
            array('route' => 'zfcuser', 'roles' => array('user')),
            array('route' => 'zfcuser/logout', 'roles' => array('user')),
            array('route' => 'zfcuser/login', 'roles' => array('guest')),
            array('route' => 'zfcuser/register', 'roles' => array('guest')),                
            array('route' => 'home', 'roles' => array('admin')),
            array('route' => 'my-entity', 'roles' => array('admin')),
        ),
    ),
),

I tried deleting the BjyAuthorize\Guard\Route part, but with no effect. When I remove the home route then the homepage is also blocked. So both Controller- and Route-Guard seem to work. How can I debug this behavior?

Answer 1

NOTE: following is valid for BjyAuthorize 1.2.*

First of all, consider that protecting both the routes and the controllers is unnecessary. I personally always protect the controllers only, since there may be multiple routes to a same controller.

Once you removed either the route or the controller guard's config, you can:

• Install Zend Developer Tools, which allows you to have an overview of the currently set Acl role, like in this picture:

  

• Check if you have configured the correct identity provider: the default one uses ZfcUser's user id and looks up his role in the user_role table.

• Check that the guest role has access to the public pages, such as the zfcuser controller (for login actions) or the zfcuser/login route.

As Akrabat pointed out, the configuration for the BjyAuthorize\Guard\Controller and BjyAuthorize\Guard\Route are whitelists, which basically means that you have to setup access for the default guest role if you want to browse pages being un-authenticated.

As soon as a guard is configured, it blocks access to any not configured resource, so be sure that you have granted the role guest (or whatever you configured in $config['bjyauthorize']['default_role'] access at least the login controller or route.