There are at least a dozen well written, permissibly-licensed router packages out there (alloy, aura, solar, symphony, etc), but I have yet to come across one that includes some form of fine-grained (ie, resource or finer) access control.
Important features:
I would be more than willing to contribute to a project that wanted to do this, but would rather not reinvent the wheel if someone is already working on this.
Specifically, given a route and some form of authentication, I want have the access controller decide to:
As a bonus, having a way to request the full resource from the redacted one would be great; eg, you pull up a person resource, and their SSN/DOB are redacted. When you hit a "show" button, it logs it and then gives you the resource with those in it.
Edit: This does not actually have to be the router itself, but it seems like it would make sense to use the same kind of addressing to control access. It's possible that this could be implemented as a standalone tool that is executed post-routing, pre-dispatch.
Routing, authentication and authorization are three separate parts of application. Each of those steps would be part of the bootstrap state for application.
- try to acquire user's identity from authentication token in session or cookies
- route the incoming request
- check if user is authorized to execute command, that was provided by router
I usually do the authorization checks by wrapping the target's instance in decorator, which provides me with access control over any structure, that require it. The implementation is usually similar to one described in this example.
When access is denied or if method is not found, you just throw the appropriate exception.
This also provides the added benefit of working well with dependency injection. When you inject such decorated object, any method, that gets performed on it, will go through access control.