I am new to CakePHP, planning to develop a marketplace website using CakePHP. Four types of users will use this website.
1. Anonymous
2. Administrator
3. Service Provider
4. Service Seeker
Can i use ACL plugin to develop the website. OR should i store these users in different tables and use this technique? CakePHP 2.x Auth with Two Separate Logins
Kinldy guide me which technique to use with it's structure.
Here, ACL will be the best solution. You don't have to manage anything manually. You only have to implement ACL successfully, that's it.
Having separate logins is against KISS and doesn't make much sense in any case. The only difference for example between a frontend and backend login is usually the view. Nothing else. If you have different user types they will still have a single login. Even if their data differs this should be abstracted by having one table that deals with the accounts (users) and another that is associated and contains the data (User hasOne FooProfile, User hasOne BarProfile). The association to the data or profile type table can be done on the fly after login depending on the user type.
ACL is relativly complicated and can become slow. Depending on the requirements I would evaluate role based access as well. I've written an easy to use RBAC adapter for CakePHP. See the test case to get an idea how it works. Basically you just have to define a map for the roles. By default the users table needs a field roleit can contain a single role or a comma separated list of roles. You can even have a table with roles but then need to generate that comma separated list, because thats what the adapter is expecting.
Related
I am quite new to Laravel, but get most of the basics by now.
Currently, I build an application, where multiple companies each get an account that represents their main user, let's call him CompanyAdmin.
This user is allowed to create new users for this company and able to view all quotes from the company.
The newly created users, call them CompanyEmployee, can not create new users and only view the quotes they created themselves, as well as creating new quotes.
Now there is of course one SuperAdmin, which sits on the other side of the table. He views all quotes from all companies, is able to do create users as he pleases and can accept/edit quotes.
My current approach to do this would be to attach a user_id to all quotes and attach the users to a company, as well as giving them a role.
All the logic would take place in the controller, where I would check the role of the user and therefore read/save only the quotes, the user is able to edit.
However, it feels very dirty to do so and sounds like a lot of effort to maintain. If you would e.g. make another role for an employee of the SuperAdmin, you would need to change every controller.
I could not find a way to define the access rights per role per model, so when I call Quotes::all() it only retrieves the legal ones (same goes for saving of course).
Please guide me to a Laravel feature (or even package, but I have not used one before) that helps me get things done.
Looking forward to possible solutions that lead to low maintainance.
Best regards!
For authenticating different types of users and protecting group of routes that particular type can access you can use guards, for authorizing CRUD actions you can use FormRequest, I think you have everything you need under these 2 links, ofcourse you will need to read up on these, this is a good starting point. As for tables, you can have these:
users, roles, companies, user_role, user_company
And models:
User, Role, Company
from the doc
In addition to providing authentication services out of the box,
Laravel also provides a simple way to authorize user actions against a
given resource. Like authentication, Laravel's approach to
authorization is simple, and there are two primary ways of authorizing
actions: gates and policies.
Laravel has 2 concepts called Gates and Policies which we can inject it on models,(specially Gates), So when ever the queries are called upon the Model, the Gates make sure that the user has appropriate permissions.
You can read more here
I'm building a site that has two areas: the main site, and an admin area.
The main site has to have Facebook login functionality (I'm looking at using Sammy K's Laravel Facebook SDK) and the admin area is just going to have a database-based login; basically the Laravel login system.
I'm wondering how to approach this, and whether anyone's done this before. Some design considerations:
Should I have two separate user tables?
Should I use two route filters, one for each auth type?
If I only have one user table, should I use different groups (somehow - I'm not sure they'll built in?) or some indicator to let the system know whether it's a database-based, user/password login, or just a Facebook login?
since you are using facebook SDK,
you don't need a user table to begin with in most cases/projects.
if you indeed want to use two different authentication, then yes, use one for each auth type.
assign different routes for each of the case. don't need to bring all those different entities together and make a sandwich.
I want to provide specified actions for different role in Symfony 1.4 project.
Project contains several database tables which values can be modified only by certain roles.
For example, an administrator gains access to CRUDs for all models.
Another role (let it be a consultant) can only retrieve (not modify or remove) results from specified models (not all).
How can I support such a feature in symfony?
I assume that roles for the project will be specified in advance.
One solution I was thinking about is creating modules and actions for each role separately (crud panels + one logging interface), but it sounds like a huge job.
Just wondering what the smarter way is.
I think the best way to achieve that is definitively credentials (it is for sf1.2 but ok for 1.4).
I recommend you to use sfGuardDoctrine to use some groups with associated permissions (which are credentials). You define a group admin, consultant, etc .. You associate some credentials, like modifiy, remove, create, edit, etc ..
And then, every time a user will log in, it will automatically have defined credentials (associated to him or by his group).
After, you have to check for every action if the user has can perform it:
if($this->getUser()->hasCredential('modify'))
{
// authorized action
}
Here is some more documentation for sfGuard (related to sf1.0 but it is good to understand how it works).
Using Tank Auth for first time along with HMVC. In my application there are 2 type of user one is say student and another is institute.
I created two modules for each user type and separated the tank auth library , both user's registration, login and tables are different from each other.
Now if I try to add any other page which is common to both users like home page, Which library should be used.
I know there must be better solution to handle multiple user problem.
Please let me know where I'm doing wrong. And what should I do to tackle this problem.
You're right, there's a better way to handle this. Duplicating your user / registration system is the wrong way to go.
You'll need to modify TankAuth to include a user type column, and then check for that user type. I'd suggest a new column in the 'users' table for 'user_role':
https://github.com/ilkon/Tank-Auth/blob/master/schema.sql
You could handle the user_type as either an int or enum. I'd lean towards int since enum is harder to change later. You could also add a new table for user_roles but I usually just store these in a config file.
Once the schema is altered, you'll need to add a reference to the new column (along with possible options) in the Tank_Auth code. You'll need to include it in creation, update (data is passed to model from the tank auth controller: controllers/auth.php) and lookup functions. I would add a lookup by user_role as well to the tank_auth model (application / models / tank_auth / users.php):
function get_user_by_role($role)
{
$this->db->where('LOWER(user_role)=', strtolower($role));
$query = $this->db->get($this->table_name);
if ($query->num_rows() == 1) return $query->row();
return NULL;
}
Lastly, you'll want to set the user role to session on login so that you can track the user type (and what content / functionality they have access to).
I've used Tank_Auth myself for several projects.
building on what calvin said, codeigniter does a good job a securing your application, tank auth will verify them, however you need different user levels, this usually falls under permissions. Your job as a developer is to make sure codeigniter does it's security checks via CSRF & XSS( I would suggest you do this in each validaton rule, rather than globally, especially If your admins need to add any tags not allowed suc as "script"). you can see how I personally setup my controllers regardless of my Auth library here...
You need to have a row in your users table called "permissions" which is either a serialized array or json encoded, or you can do a google search on permission bitmasking, which requires an int field
I am creating an web application and I at the point that i am starting to make backend choices. Now there are a lot of ways to go with this, so I am looking for some good points and back practices.
Some of the question i have involve:
Should i make a seperate table in the db for admin users
Should i extend make some classes to load the admin data and the normal data, or make seperate classes for the admin section
Where can i get some information on making different types of users
Just some best practices for a backend
My application is written in PHP with an MySQL database.
Keeping a separate table for admin users is nice, but only if those admin users aren't "regular" users as well - otherwise you'll step on your own toes trying to keep usernames/IDs unique but somewhat connected.
A couple things to consider:
Apache authentication (or Windows accounts on IIS) for admin users. Separate system entirely, but allows for overlap - a regular user can be a regular user, but they can't access any admin functionality until they authenticate through the browser. Works fine if you only have a couple specific kinds of user role (e.g. member & administrator only).
All users in one table, but with roles and permissions separate. This is the most flexible because you can get as granular as you need. For example, any user can "post comments," while an admin can "delete comments" and "ban users," but a moderator can only "suspend comments" and "mute users." As you add new features, it's simply a matter of implementing some new permissions & assigning them to the roles. Drupal's access control does this really well, worth a close look.
A good way to do it is to add a new field in the users table for 'rank' in order to differentiate between regular users and staff members, and possibly between the different staff member levels such as moderator, admin, etc. if you need it. Because an administrator should be able to perform all functions that a user can. Use
class Admin extends User { }
if you want to add additional functionality specific to staff members.
As for backend functions, that depends on how your site is set up. If you're using a framework, you can just add new functions to existing controllers and restrict access only to users with a certain rank.
For example, you might have a controller for ForumPost objects, but calling the ForumPost delete() function would require the user to be a forum moderator.
If you're not using a framework, you'll probably have to make your own pages for each backend function you need.