The Best Way To Implement Rbac To The Module

Most of the extensions are available via composer now, which means the can be autoupdated, so it is generally unwise to change their code, unless it can’t be avoided.

Sometimes we want to limit the access to the module, or module’s controllers or actions - how do we do this gracefully without touching the module’s code?

I have found only one approach: to make a custom url ( in docs), then to get url info, parse it and deny or allow access based on substring search of module id in the url. But this doesn’t look graceful enough.

What would be nice is to have a global beforeaction, in which we can do such checks.

Hello tebazil,

Have you tried extending the classes and methods overriding just an idea.

Good idea, actually - it didn’t cross my mind earlier, so I tried it today. Yes, overriding the Module’s beforeAction gives desired results.

It’s another approach to solve the problem. Thanks, Vilo.

Any other approaches?

Ok, so after some investigation, I think we can use three approaches:

  1. To add to the Application’s beforeAction with some custom behavior or a component which should act ‘as’ behavior.

  2. To extend the module (then I believe you’ll need to set the viewpath of module to the viewpath of the module you inherited from) and override it’s beforeAction method.

  3. To implement the custom url rule, and do the authentication there (dirty approach).

Second is the most natural, as you don’t have to deal with routes.