Skip to main content

ACL implementation

Image
By User



First question





Please, could you explain me how simpliest ACL could be implemented in MVC.





Here is the first approach of using Acl in Controller...







<?php

class MyController extends Controller {



  public function myMethod() {        

    //It is just abstract code

    $acl = new Acl();

    $acl->setController('MyController');

    $acl->setMethod('myMethod');

    $acl->getRole();

    if (!$acl->allowed()) die("You're not allowed to do it!");

    ...    

  }



}

?>







It is very bad approach, and it's minus is that we have to add Acl piece of code into each controller's method, but we don't need any additional dependencies!





Next approach is to make all controller's methods private and add ACL code into controller's __call method.







<?php

class MyController extends Controller {



  private function myMethod() {

    ...

  }



  public function __call($name, $params) {

    //It is just abstract code

    $acl = new Acl();

    $acl->setController(__CLASS__);

    $acl->setMethod($name);

    $acl->getRole();

    if (!$acl->allowed()) die("You're not allowed to do it!");

    ...   

  }



}

?>







It is better than previous code, but main minuses are...





  • All controller's methods should be private



  • We have to add ACL code into each controller's __call method.







The next approach is to put Acl code into parent Controller, but we still need to keep all child controller's methods private.





What is the solution? And what is the best practice? Where should I call Acl functions to decide allow or disallow method to be executed.





Second question





Second question is about getting role using Acl. Let's imagine that we have guests, users and user's friends. User have restricted access to viewing his profile that only friends can view it. All guests can't view this user's profile. So, here is the logic..





  • we have to ensure that method being called is profile



  • we have to detect owner of this profile



  • we have to detect is viewer is owner of this profile or no



  • we have to read restriction rules about this profile



  • we have to decide execute or not execute profile method







The main question is about detecting owner of profile. We can detect who is owner of profile only executing model's method $model->getOwner(), but Acl do not have access to model. How can we implement this?





I hope that my thoughts are clear. Sorry for my English.





Thank you.



Source: Tips4all
Labels:

Comments

  1. Tips For AllApril 6, 2012 at 7:33 AM

    One possibility is to wrap all your controllers in another class that extends Controller and have it delegate all the function calls to the wrapped instance after checking for authorization.

    You could also do it more upstream, in the dispatcher (if your application does indeed have one) and lookup the permissions based on the URLs, instead of control methods.

    edit: Whether you need to access a database, a LDAP server, etc. is orthogonal to the question. My point was that you could implement an authorization based on URLs instead of controller methods. These is more robust because you typically won't be changing your URLs (URLs area kind of public interface), but you might as well change the implementations of your controllers.

    Typically, you have one or several configuration files where you map specific URL patterns to specific authentication methods and authorization directives. The dispatcher, before dispatching the request to the controllers, determines if the user is authorized and aborts the dispatching if he's not.

    ReplyDelete

Post a Comment

Popular posts from this blog

Why is this Javascript much *slower* than its jQuery equivalent?

By User
I have a HTML list of about 500 items and a "filter" box above it. I started by using jQuery to filter the list when I typed a letter (timing code added later): $('#filter').keyup( function() { var jqStart = (new Date).getTime(); var search = $(this).val().toLowerCase(); var $list = $('ul.ablist > li'); $list.each( function() { if ( $(this).text().toLowerCase().indexOf(search) === -1 ) $(this).hide(); else $(this).show(); } ); console.log('Time: ' + ((new Date).getTime() - jqStart)); } ); However, there was a couple of seconds delay after typing each letter (particularly the first letter). So I thought it may be slightly quicker if I used plain Javascript (I read recently that jQuery's each function is particularly slow). Here's my JS equivalent: document.getElementById('filter').addEventListener( 'keyup', function () { var jsStart = (new Date).getTime()...
3 comments
Read more

Is it possible to have IF statement in an Echo statement in PHP

By User
Thanks in advance. I did look at the other questions/answers that were similar and didn't find exactly what I was looking for. I'm trying to do this, am I on the right path? echo " <div id='tabs-".$match."'> <textarea id='".$match."' name='".$match."'>". if ($COLUMN_NAME === $match) { echo $FIELD_WITH_COLUMN_NAME; } else { } ."</textarea> <script type='text/javascript'> CKEDITOR.replace( '".$match."' ); </script> </div>"; I am getting the following error message in the browser: Parse error: syntax error, unexpected T_IF Please let me know if this is the right way to go about nesting an IF statement inside an echo. Thank you.
5 comments
Read more