DebugKit.ignoreAuthorization doesn't work with RequestAuthorization
- [x] enhancement
- [ ] feature-discussion (RFC)
- [ ] bug
What you did
I've set up a Request Policy as an Authorization Service but the newly added DebugKit.ignoreAuthorization doesn't seem to override the Request Authorization.
What happened
DebugKit toolbar threw a ForbiddenException.
What you expected to happen
DebugKit should bypass Request Authorization logic
This could easily be solved by adding a rule to canAccess function in the RequestPolicy class like so:
class RequestPolicy implements RequestPolicyInterface {
public function canAccess($identity, ServerRequest $request) {
if ($request->getParam('plugin') === 'DebugKit') {
return true;
}
}
}
but this will render DebugKit.ignoreAuthorization useless anyway!
If you are using Request base policies you have to handle skipping authorization yourself right now, as the ignore options have not been implemented for request policies yet.
I would love to help fix this issue!
@mmahgoub That would be great!
ping @mmahgoub