The InMemoryRoleProvider
and the ObjectRepositoryRoleProvider
do not implement the getRoles($roleNames)
in the same way.
InMemoryRoleProvider::getRoles($roleNames)
will return an array of roles matching the $roleNames
array. If a roleName in $roleNames` is not present in the in memory config, it will create a role for that roleName with no permissions.
ObjectRepositoryRoleProvider::getRoles($roleNames)
will return an array of roles matching the $roleNames
array only there is a match. If a roleName in $roleNames
is not present in the object repository, it will throw a RoleNotFoundException
exception.
Moreover, the RoleProviderInterface
interface does not state that getRoles()
can throw an exception.
The Role Service, when requesting roles from the provider does not check for exceptions. This means that, in an application using ObjectRepositoryRoleProvider
, if an identity has a role that does not exists in the role provider, the application will throw an exception and crash if not handled. The exception makes sense since roles assignable to identity should exist and should be enforced when creating users, roles and permissions.
On the other hand, InMemoryRoleProvider
is too permissive as it will add roles in the role provider for roles that do not exist in its initial configuration. InMemoryRoleProvider
was meant to be a simple solution and it is not strict in validating that a given role exist or not.
I am of the opinion, that an exception should be thrown when requesting the role provider to provide a role that does not exist.
This would be a breaking change for applications using the InMemoryRoleProvider
when an unexpected exception would occur that would cause the app to crash.