Filtering Access to Controller Classes and Methods (before PHP 8)

A feature of good routing is the possibility to enforce policies that get specified for Controller classes and methods. For this purpose, frameworks such as ASP.NET use annotations on classes and methods. We wish to replicate this in PHP, but PHP does not support annotations.

Contents

phpDoc Comments

phpDoc comments are the official means to document class and function API in PHP. These comments are delimited by /** and */ character sequences (note the opening tag has 2* characters. The usual contents should include method parameters, return values, summaries, etc. We aim to add our own annotation to this phpDoc which we will in turn use to filter user access.

Consider a simple controller class with phpDoc comments as below:

```
<?php
```
```
/**
```

HomeController will handle operations related to Item entities.

```
@accessFilter{LoginFilter}
```
```
*/
```

class HomeController extends Controller{

```
/**
```
```
Provide a listing of the Item entities
```
```
*/
```
```
  public function index(){
```
```
    //...
```
```
  }
```
```
 
```
```
  public function create(){
```
```
    //...
```
```
  }
```
```
/** 
```
```
@accessFilter{itemOwner}
```
```
*/
```
```
  public function detail($item_id){
```
```
    //...
```
```
  }
```
```
/**
```
```
@accessFilter{itemOwner}
```
```
*/
```
```
  public function edit($item_id){
```
```
    //...
```
```
  }
```
```
/**
```
```
@accessFilter{itemOwner}
```
```
*/
```
```
  public function delete($item_id){
```
```
    //...
```
```
  }
```
```
}
```
```
?>
```

In the above, we wish to apply the LoginFilter access policy to the entire class and the itemOwner policy only to Detail, Edit, and Delete methods.

ReflectionClass

For our purposes, phpDoc comments would serve no purpose without the means to efficiently extract them programatically. For this purpose, we use the ReflectionClass class, which provides an interface to all information about a selected class and its methods. Below, we extract the phpDoc comments of the class and each one of the methods:

```
<?php
```

$reflection = new ReflectionClass('HomeController');

$classDoc = $reflection->getDocComment();

$indexComment = $reflection->getMethod('index')->getDocComment();

$createComment = $reflection->getMethod('create')->getDocComment();

$detailComment = $reflection->getMethod('detail')->getDocComment();

$editComment = $reflection->getMethod('edit')->getDocComment();

$deleteComment = $reflection->getMethod('delete')->getDocComment();

```
?>
```

More specifically for our purposes, we need to extract the phpDoc comments for the specific controller and method resolved in the routing algorithm. (If you have been reading this site, I place this functionality in the App class constructor.)

Below is an example of how, given a class, method, and parameters, we should extract, parse, and resolve the filters.

private static function redirectFilters($class,$method, $params){

  $reflection = new ReflectionClass($class);

```
 
```

  $classDocComment = $reflection-&gt;getDocComment();

  $methodDocComment = $reflection-&gt;getMethod($method)-&gt;getDocComment();

```
 
```
```
  //parse and extract the filters
```

  $classFilters = self::getFiltersFromAnnotations($classDocComment);

  $methodFilters = self::getFiltersFromAnnotations($methodDocComment);

```
 
```

  $filters = array_values(array_filter(array_merge($classFilters,$methodFilters)));

```
 
```

  $redirect = self::runFilters($filters, $params);

```
  return $redirect;
```
```
}
```

First, we initialize the ReflectionClass instance for this controller class and then extract the phpDoc comments for the class and method at hand. Then, we parse the phpDoc comment to retrieve any filter annotations and assemble these from the class and method in a single array. Then we run the filters and return the first redirection URL obtained, false otherwise. So the right time to call this method is right before calling the method on the controller class, as follows:

if($redirectUrl = self::redirectFilters($this-&gt;controller, $this-&gt;method, $this-&gt;params)){

```
  header("location:$redirectUrl");
```
```
  return;
```
```
}
```
```
 
```

call_user_func_array([$this-&gt;controller, $this-&gt;method], $this-&gt;params);

For any of this to work, of course, we must actually parse the phpDoc comments to extract the filter information, run the filters, and especially have filters to run in our code.

Parsing the phpDoc Comment

We must extract information from the phpDoc comments which resemble the following:

/**
Summary.
@accessFilter{filter1,filter2, filter3}
*/

For this purpose, we propose a method as follows:

private static function getFiltersFromAnnotations($docComment){

  preg_match('/@accessFilter:{(?<content>.+)}/i', $docComment, $content);

  $content = (isset($content['content'])?$content['content']:'');

  $content = explode(',',str_replace(' ', '', $content));

```
  return $content;//this is an array
```
```
}
```

On line 2, we extract all the accessFilter contents as elements in the $content array, with the key ‘content‘.

On line 3, we set $content to the value associated to the ‘content‘ key in $content, if any, or an empty string otherwise.

On line 4, we convert the string to an array of strings, one element per filter, without space characters.

Running the Filters

First and foremost, we must have filters to run. It is proposed to group these either in your routing class or a separate Filter class, as follows:

```
<?php
```
```
<?php
```
```
class Filter extends Controller{
```

  public static function itemOwner($params){

    $theItem = self::model('Item')->find($params[0]);

    if($theItem->user_id != $_SESSION['user_id']){

```
      return '/home/index';
```
```
    }else{
```
```
      return false;
```
```
    }
```
```
  }
```

  public static function LoginFilter($params){

```
    if($_SESSION['user_id'] == null){
```
```
      return '/login/index';
```
```
    }else{
```
```
      return false;
```
```
    }		
```
```
  }
```
```
}
```
```
?>
```

Each of the above methods will check conditions based on the session variables, parameters, or core functionality. For example, LoginFilter verifies if a user is logged in and returns a redirection URL otherwise, or false if the user need not be redirected. The function itemOwner compares the user id of the user logged in with the user id in the record to verify if the current user is not attempting to modify someone else’s data.

The strategy to run the filters is to run them one by one until a redirection is determined or all have been run. We then return the redirection to the calling method which will send it to the routing algorithm.

private static function runfilters($filters,$params){

```
  $redirect = false;
```
```
  $max = count($filters);
```
```
  $i = 0;
```
```
  while(!$redirect && $i < $max){
```

    if(method_exists('Filter', $filters[$i])){

      $redirect = Filter::{$filters[$i]}($params);

```
    }else{
```

      throw new Exception("No policy named $filters[$i]");

```
    }
```
```
    $i++;
```
```
  }
```
```
  return $redirect;
```
```
}
```

Conclusion

All the pieces are in place. We can now implement redirection policies and apply them to classes and methods with a simple phpDoc comment. Note that there should only be ONE phpDoc comment per class and per method, which integrates all relevant annotations, including ours: @accessFilter. Otherwise, the ReflectionClass method getDocComment will only be able to return the one before and closest to the class or method declaration.

2 replies on “Filtering Access to Controller Classes and Methods (before PHP 8)”

Hi,

Is it possible to receive the complete working source code for the PHP MVC application as explained on Youtube.

regards,
Danny

Hi Danny,

Thank you for this question. In fact, the full code is available on this site if you navigate back and follow the posts starting here: https://cstutoring.ca/2020/03/29/htaccess/.

Enjoy!
Michel