Table Record Access - Zend Framework 2

0
votes

I have a login system with Zend\Authentication, working fine. I got user identity saved in the storage, so I also know the logged in user's id.

Using TableGateway to access database tables.

I am trying to find out the proper way to let users to access only their records (for example, only their customer records marked with that user_id in the customers table) and of course allow them editing only their own records.

Yes, I can read identity in Table class and filter records by user_id, or even better call the data retrieval function by user_id from the Controller instead getting Table class involved with the user identity.

What I am interested is "What is the proper way to create a module that will return only assigned data for logged in user?". I am new to ZF2 and I don't want to learn the wrong way but the already existing and proven one if any.

Thank you for reading.

2
zend-framework2
i think you can just create a method that does that check for you. For example if user id 25 can access and edit data with id 100 then do a check that will return true if he is accessing the correct id and false if he accessing another id and then redirect him - dixromos98

2 Answers

1
votes

the zend authentication service only validate a login against your database but don't take care about in other controllers when calling against the db what data is returned.

so in this case you are responsable to take care what data is returned. something like this

$assignedUserdata = $database->findBy(array('id' => $this->identity()->getId()));
1
votes

Old question, but I’ll give you and possibly others my solution anyways. Had the same problem and I didn’t like the developers to think about the user context every time they access the database.

What I did, was to extend my repositories (=abstraction layer to DB queries) to become user-aware. So my OrderRepository implements UserAwareRepository. Every UserAwareRepository expects to get a valid user object injected in its constructur, which I use a factory for.

Now what the UserAwareRepository does is to append the WHERE user=$user->getId() to every query.

Less error-prone.