Tiger_Controller_Plugin_Authorization

@api · extends Zend_Controller_Plugin_Abstract

Tiger_Controller_Plugin_Authorization — the AUTHORIZATION gate.

A front-controller plugin (NOT a base-controller preDispatch) so it runs for EVERY dispatch regardless of what a controller extends. This is the deliberate improvement over AskLevi's base-controller approach: authorization can't be bypassed by forgetting to extend a base class — deny-by-default applies to every controller, uniformly, for the default namespace and modules alike.

Two design choices worth knowing:

  • LIVE ROLE. The session stores only "who + which org" (user_id + org_id). The role is resolved FRESH from org_user every request, so a revoked or changed membership takes effect on the very next request — no stale session permissions, no forced re-login. (This is where the actor is stamped too.)
  • EXEMPTIONS ARE DATA. Public entry points (login, /api, errors, the public home) aren't hardcoded here — they're allow guest rules in core acl.ini.

Methods

preDispatch()

preDispatch(Zend_Controller_Request_Abstract $request)

Gate every dispatch deny-by-default: resolve the caller's live role and authorize the target controller resource, redirecting or forbidding when access is denied.

  • $request Zend_Controller_Request_Abstract — the current request