InjectAuthorizerTrait
Provides the plumbing to attach a permission authorizer to ArangoDB controllers — used by the framework to gate fields via `Field::REQUIRES` without coupling `oihana/arango` to a specific authorization backend (Casbin, OPA, custom, ...).
Lifecycle:
- self::initializeArangoAuthorizer() is called once at construction
time, typically right after
parent::__construct(). The controller resolves aClosure(string $subject): boolfrom the DI container (or provides it explicitly) and hands it to the trait. - self::injectAuthorizer() is called every time the controller
forges an
$initarray bound for$this->model->list/get/.... It poses the stored authorizer underArango::AUTHORIZERso that the underlyingbuildVariables/buildEdgeVariable/buildJoinVariablechain can consult it via isAuthorized().
When no authorizer was registered, self::injectAuthorizer() is a
no-op — the framework's isAuthorized() falls open in that case, so
existing controllers that do not opt in keep their current behaviour.
Usage in a controller:
use oihana\arango\controllers\traits\inject\InjectAuthorizerTrait;
final class MyController extends DocumentsController
{
use InjectAuthorizerTrait ;
public function __construct( Container $container , array $init = [] )
{
parent::__construct( $container , $init ) ;
$authorizer = $container->has( Definition::ARANGO_AUTHORIZER )
? $container->get( Definition::ARANGO_AUTHORIZER )
: null ;
$this->initializeArangoAuthorizer( $init , $authorizer ) ;
}
public function list( ?Request $req , ?Response $res , array $args = [] , array $init = [] ) : mixed
{
$this->injectAuthorizer( $init ) ;
return parent::list( $req , $res , $args , $init ) ;
}
}
Tags
Table of Contents
Properties
- $arangoAuthorizer : Closure|null
- Stored authorizer, resolved at init time. Null when no authorizer was registered — every {@see self::injectAuthorizer()} call becomes a no-op.
Methods
- initializeArangoAuthorizer() : static
- Initialise the trait from a controller's `$init` array.
- injectAuthorizer() : void
- Pose the stored authorizer under `Arango::AUTHORIZER` so the framework helpers ({@see \oihana\arango\models\helpers\isAuthorized()}) can consult it when building edges/joins.
Properties
$arangoAuthorizer
Stored authorizer, resolved at init time. Null when no authorizer was registered — every {@see self::injectAuthorizer()} call becomes a no-op.
protected
Closure|null
$arangoAuthorizer
= null
The callable signature is Closure(string $subject): bool ; only a
strict true return counts as a grant in
isAuthorized().
Methods
initializeArangoAuthorizer()
Initialise the trait from a controller's `$init` array.
protected
initializeArangoAuthorizer(array<string|int, mixed> $init[, string|array<string|int, mixed>|object|null $authorizer = null ]) : static
Resolution order:
- Explicit
$authorizerargument (the controller resolved a service from the DI container or built the closure inline). $init[Arango::AUTHORIZER]if it carries a value.- Otherwise, the trait stays disarmed (
$arangoAuthorizer = null).
The candidate is run through resolveCallable() so any of the
supported shapes (Closure, invokable object, Class::method,
[obj, 'method'], fully-qualified function name) is accepted ; a
non-resolvable value silently disarms the trait.
Parameters
- $init : array<string|int, mixed>
-
Same array passed to the controller constructor.
- $authorizer : string|array<string|int, mixed>|object|null = null
-
Optional explicit candidate. Takes precedence over
$init.
Return values
staticinjectAuthorizer()
Pose the stored authorizer under `Arango::AUTHORIZER` so the framework helpers ({@see \oihana\arango\models\helpers\isAuthorized()}) can consult it when building edges/joins.
protected
injectAuthorizer(array<string|int, mixed> &$init) : void
No-op when no authorizer was registered, or when $init already
carries an entry under that key (a more specific call site wins —
useful for tests or for a per-call override).
Parameters
- $init : array<string|int, mixed>
-
The init array to enrich (by reference).