Authorization Architecture
Kanboard supports multiple roles at the application level and at the project level.
Authorization Workflow
For each HTTP request:
- Authorize or not access to the resource based on the application access list
- If the resource is for a project (board, task…):
- Fetch user role for this project
- Grant/Denied access based on the project access map
Extending Access Map
The Access List (ACL) is based on the controller class name and the method name. The list of access is handled by the class Kanboard\Core\Security\AccessMap.
There are two access map: one for the application and another one for projects.
- Application access map:
$this->applicationAccessMap - Project access map:
$this->projectAccessMap
Examples to define a new policy from your plugin:
// All methods of the class MyController:
$this->projectAccessMap->add('MyController', '*', Role::PROJECT_MANAGER);
// Specific methods:
$this->projectAccessMap->add('MyOtherController', array('create', 'save'), Role::PROJECT_MEMBER);
Roles are defined in the class Kanboard\Core\Security\Role.
The Authorization class (Kanboard\Core\Security\Authorization) will check the access for each page.