InMemory and ObjectRepository Role providers do not have the same behavior

[visto9259]

The InMemoryRoleProvider and the ObjectRepositoryRoleProvider do not implement the getRoles($roleNames) in the same way.

InMemoryRoleProvider::getRoles($roleNames) will return an array of roles matching the $roleNames array. If a roleName in $roleNames` is not present in the in memory config, it will create a role for that roleName with no permissions.

ObjectRepositoryRoleProvider::getRoles($roleNames) will return an array of roles matching the $roleNames array only there is a match. If a roleName in $roleNames is not present in the object repository, it will throw a RoleNotFoundException exception.

Moreover, the RoleProviderInterface interface does not state that getRoles() can throw an exception.

The Role Service, when requesting roles from the provider does not check for exceptions. This means that, in an application using ObjectRepositoryRoleProvider, if an identity has a role that does not exists in the role provider, the application will throw an exception and crash if not handled. The exception makes sense since roles assignable to identity should exist and should be enforced when creating users, roles and permissions.

On the other hand, InMemoryRoleProvider is too permissive as it will add roles in the role provider for roles that do not exist in its initial configuration. InMemoryRoleProvider was meant to be a simple solution and it is not strict in validating that a given role exist or not.

I am of the opinion, that an exception should be thrown when requesting the role provider to provide a role that does not exist.

This would be a breaking change for applications using the InMemoryRoleProvider when an unexpected exception would occur that would cause the app to crash.