Tiger_Controller_Plugin_Authorization
@api· extendsZend_Controller_Plugin_Abstract
Tiger_Controller_Plugin_Authorization — the AUTHORIZATION gate.
A front-controller plugin (NOT a base-controller preDispatch) so it runs for EVERY dispatch regardless of what a controller extends. This is the deliberate improvement over AskLevi's base-controller approach: authorization can't be bypassed by forgetting to extend a base class — deny-by-default applies to every controller, uniformly, for the default namespace and modules alike.
Two design choices worth knowing:
- LIVE ROLE. The session stores only "who + which org" (user_id + org_id). The role is resolved FRESH from org_user every request, so a revoked or changed membership takes effect on the very next request — no stale session permissions, no forced re-login. (This is where the actor is stamped too.)
- EXEMPTIONS ARE DATA. Public entry points (login, /api, errors, the public
home) aren't hardcoded here — they're
allow guestrules in core acl.ini.
Methods
preDispatch()
preDispatch(Zend_Controller_Request_Abstract $request)
Gate every dispatch deny-by-default: resolve the caller's live role and authorize the target controller resource, redirecting or forbidding when access is denied.
$requestZend_Controller_Request_Abstract— the current request