[Proposal] Implement per-operation access control rules

[teohhanhui]

Using Security expressions to control access to each operation.

# app/config/services.yml
services:
    resource.product:
        parent: api.resource
        arguments:
            - AppBundle\Entity\Product
        calls:
            - method: initAccessControlRules
              arguments:
                  - collection:
                        POST: "has_role('ROLE_ADMIN')"
                    item:
                        PUT: "has_role('ROLE_ADMIN')"
                        DELETE: "has_role('ROLE_ADMIN')"
        tags:
            - name: api.resource

[dunglas]

Interesting approach. However I'll refactor the resource and operation system (they will be moved in the metadata system).
IMO the rule must be related to the operation and not to the resource.

[teohhanhui]

That will be ideal, but it doesn't make sense for me to recreate each and every default operation (tens or hundreds of them). Of course, that's #142

[teohhanhui]

I guess I'll wait until after your refactoring is complete. In the meantime, my needs are simple enough to be served by hardcoded logic in a single listener.

[sroze]

Even if I'm not fond of the expression component, I like the idea too 👍

[teohhanhui]

@sroze Why? Isn't it essentially DSL? Or at least afford you to create your own DSL easily? You can give your user just enough flexibility without having to account for every possible use case (a rather impossible task).