Entities and permissions
The whole point of this framework is to make it easy to create entities and write custom modules easily. So we can create an entity with a few lines of code, we should consider the framework successful. Let’s create an entity for Blog Posts as an example.
Create a folder under the modules directory:
cd modules
mkdir blog
Now create blog.php and entity.fields.json files under the blog directory.
The blog.php file should look like this:
<?php
namespace modules\blog;
class blog extends \modules\entity\entity{
}
And the entity.fields.json:
{
"fields": [
{
"name": "title",
"type": "string",
"unique": false,
"options" : {
"length": 255,
"notNull": true
}
},
{
"name": "body",
"type": "text"
},
{
"name": "created_at",
"type": "integer"
},
{
"name": "updated_at",
"type": "integer"
},
{
"name": "published",
"type": "boolean"
}
]
}
And voila! That’s it. That’s all we need to create a new entity. Now we just need to install our module:
php index.php system reinstall_modules
And it will create the database table.
Endpoints are also ready:
GET /blog -> Lists all blog posts
GET /blog/1 -> Get the blog post with the id #1
POST /blog -> Create a new blog post
PUT /blog -> Edit a blog post
DELETE /blog -> Deletes a blog post.
The permissions are also automatically created. An authenticated user can create a blog post, list all blog posts, edit their own blog posts and delete their own blog posts out of the box. If you want to override the permissions, you can simply add a routing.json file under the blog module directory and change the permissions as required. For example if you want authenticated users to not to access all blog posts, you should simply:
routing.json
{
"routes": [
{
"name": "Blog post lists",
"path": "/blog",
"method": "GET",
"actor": "modules\\blog\\blog",
"handler": "list",
"permissions": [
{
"type": "standart",
"name": "list all blog posts"
}
]
}
]
}
What we did above is pretty self explanatory. A few things to mention still:
- Even though our blog class looks empty, it extends the
entityobject, so it actually has alistmethod, that’s why we declared it as our handler. - But to access that endpoint, the method first needs to pass the permissions. By declaring a new permission under the
permissions, we simply made up a new scope, and yet haven’t assigned the permission to any user role. Sinceauthenticated userrole will not have this new scope, router won’t permit the request and return a403 Forbidden
What if we wanted the user to list their own blog posts but not the others? Simple. We would override the list method and add a where clause to the sql query to filter the owner’s blog posts.
routing.json
{
"routes": [
{
"name": "Blog post lists",
"path": "/blog",
"method": "GET",
"actor": "modules\\blog\\blog",
"handler": "list",
"permissions": [
{
"type": "standart",
"name": "get any blog"
}
]
}
]
}
This time, we should add a new method to the blog.php class:
<?php
namespace modules\blog;
class blog extends \modules\entity\entity{
public function list($total=10,$start_from=0){
$queryBuilder = $this->connection->createQueryBuilder();
$queryBuilder
->select('*')
->from($table)
->where(“owner = ?”)
->setFirstResult($start_from)
->setParameter(‘:owner’, $this-owner)
->setMaxResults($total);
try {
$data = $queryBuilder->execute()->fetchAll(\PDO::FETCH_OBJ);
if($data){
return $data;
}
}
catch(DBALException $e){
print "Couldnt execute the query \n";
print $e->getMessage() . "\n";
}
return false;
}
}
As you can see we added a where clause to the usual query with the owner id. By default, the system adds an owner field to the entity and associates it with the creator user id. So we won’t need to even worry about the owner attribute, it comes out of the box.