For authorization, I originally followed the example from Oleg’s book.
He ties his authorization (page protection) method into EVENT_DISPATCH.
The problem I ran into with this is that the controller gets built, which requires forms to be built, which requires custom elements and validators to be built. This seems like a waste and possibly a security risk.
In slack, mwop pointed out that Apigility does authorization late in EVENT_ROUTE. Sure enough, the docs say:
Authorization happens post-route, but before dispatch of the requested service. This is what allows zf-mvc-auth to be able to determine if a particular identity has access to the requested resource without having to start the initialization dispatch of any particular controller in the application.
That makes a lot of sense and matches what I saw.
Problem is, I want to redirect to a particular route upon failure. As per Oleg’s example, I do this:
But, during EVENT_DISPATCH, the controllers aren’t up and running so this doesn’t work.
So, upon authorization failure, am I supposed to craft my own Response, or alter the $event somehow?