When I set 'deny_by_default' ('zf-mvc-auth' component) to true, I get 403 "Forbidden" on all pages of the site

I am trying to use oauth2 with apigility within zf3 project too. At current moment I have faced with next situation: when I am setting ‘deny_by_default’ to true, I get 403 “Forbiddeb” on all pages of the site even at non API urls. I mean, the home page of my site shows 403 too.

This is my config:

'zf-mvc-auth' => [
        'authentication' => [
            'map' => [
                '\\Admin\\Module\\User\\V1' => 'oauth2_pdo',
            ],
        ],
        'authorization' => [
            'deny_by_default' => true,
            '\\Admin\\Module\\User\\V1\\Rest\\Item\\Controller' => [
                'collection' => [
                    'GET' => true,
                    'POST' => true,
                    'PUT' => false,
                    'PATCH' => false,
                    'DELETE' => false,
                ],
                'entity' => [
                    'GET' => true,
                    'POST' => false,
                    'PUT' => true,
                    'PATCH' => true,
                    'DELETE' => true,
                ],
            ],
        ],
    ],

I have apigility admin at the another project and generate there what I need. After that I copy generated config to my project.
It looks like I have missed something. When I remove deny_by_default or set it to false everything works as before but my API is allowed to see without authentication.

I have this json response on all pages (at home page too):

{
"type":"http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html",
"title":"Forbidden",
"status":403,
"detail":"Forbidden"
}

How to fix this?

This article may help: https://blog.tomhanderson.com/2017/10/using-zf-mvc-auth-for-custom.html

It’s not as easy as just a config variable but once all your ACL is in place you’ll have better control of your permissions.

1 Like

I followed by this tutorial https://apigility.org/documentation/auth/user-differentiation but your example contains doctrine which is exactly what I need. Thank you!

Also I have figured out why I had 403 everywhere. I had to add acl resources to the authorization listener.

I have fixed 403 at nonAPI pages but still have 403 at all REST API links.

Tom, can you clear for me one moment from your blog post at https://blog.tomhanderson.com/2017/10/using-zf-mvc-auth-for-custom.html?
At first you have wrote this:

'zf-mvc-auth' => array(
        'authentication' => array(
            'adapters' => array(
                'user' => [
                    'adapter' => 'User\\Authentication\\Adapter\\DoctrineAdapter',
                    'storage' => [
                        'Zend\Authentication\Storage\Session',
                    ],
                ],
            ),
        ),
    ),

where the name of adapter is “DoctrineAdapter”. Later at that post you have mentioned this:

final class AuthenticationAdapter implements
    AdapterInterface,
    ObjectManagerAwareInterface
{

Is the “AuthenticationAdapter” the same as “DoctrineAdapter” from config?

Also, at this page https://apigility.org/documentation/auth/user-differentiation have mentioned about “final class SessionAdapter” but later at that docs is this code:

// Add Authentication Adapter for session
        $defaultAuthenticationListener = $container->get(DefaultAuthenticationListener::class);
        $defaultAuthenticationListener->attach(new Authentication\AuthenticationAdapter());

Is “SessionAdapter” and “AuthenticationAdapter” the same thing? Because, I used it as same and rename second class to first class.