Authorization Architecture
==========================

Kanboard supports multiple roles at the application level and at the project level.

Authorization Workflow
----------------------

For each HTTP request:

1. Authorize or not access to the resource based on the application
   access list
2. If the resource is for a project (board, task…):

   1. Fetch user role for this project
   2. Grant/Denied access based on the project access map

Extending Access Map
--------------------

The Access List (ACL) is based on the controller class name and the
method name. The list of access is handled by the class
``Kanboard\Core\Security\AccessMap``.

There are two access map: one for the application and another one for
projects.

-  Application access map: ``$this->applicationAccessMap``
-  Project access map: ``$this->projectAccessMap``

Examples to define a new policy from your plugin:

.. code:: php

    // All methods of the class MyController:
    $this->projectAccessMap->add('MyController', '*', Role::PROJECT_MANAGER);

    // Specific methods:
    $this->projectAccessMap->add('MyOtherController', array('create', 'save'), Role::PROJECT_MEMBER);

Roles are defined in the class ``Kanboard\Core\Security\Role``.

The Authorization class (``Kanboard\Core\Security\Authorization``) will
check the access for each page.