I am using Phalcon as my framework of choice. I have hit a bit of a road block when it comes to structuring my website. I would like to use ACL to manage permissions to my website. But it seems ACL does not allow my to set permission values for 'parameters'.
Say I am creating a website that has user created 'groups' which only users with the correct permissions (set in the ACL) can view.
It might work something like this: website.com/groups/view/MyGroup
Group being the controller, view being the action and "MyGroup" being the parameter for the action defining which group to view.
I can only set the access permission for the groups controller or view action. Not the parameter.
Ideally, I'd use the database adapter for ACL and I would create a new user group for every group created in my app. I could have hundreds of groups, each with own set of users. I can reuse the 'groups' controller code for every group, because we always use the same controller/actions, except we point to different groups by changing the parameter.
How could I achieve this using Phalcons ACL library ? Maybe I need to structure things differently?
Phalcons ACL is based on 'Resources', in which a Resource can technically be anything you desire, you're not limited to controllers only.
http://docs.phalconphp.com/en/latest/api/Phalcon_Acl.html
Related
I have a project which includes admin and user section. Both section use the same controllers, just different functions and templates (ex: viewAdmin() and viewUser()). In function beforeRender() of every controllers, I set variable $admin as true for admin functions and false for user functions.
For authentication, I use Shibboleth. Shibboleth uses data from LDAP, while user types were saved in SQL-Database, that means while it can check if the login and password are false, it can't check if the user is admin or not. An user can go to ADMIN section as long as they use the right action (ex: go to the link http://example.com/tool/viewAdmin).
To prevent this, I will have to:
Load model Users
Compare the environment variable uid (login name) with the "login" columns in Users table in my SQL-Database
See the "type" column in Users table to know if user is admin or not.
Compare the result with value of $admin and redirect to an error page when necessary.
The problem is: I don't want to repeat those steps for EVERY controllers.
Currently I have 2 ideas:
Write a function in UsersController, and use it in every controllers.
Create a component and load it in every controllers.
Both methods require me changing code in all controllers. I would like to hear a better way with less work, perhaps by changing app.php or bootstrap.php.
Any suggestion is appreciated.
To share methods in CakePHP controllers you can do:
Create component and include in controller
Or create method in AppController and use it in child controllers
Or PHP way create Trait.
But when you authorize users, then all user data is stored in session, incl. is user roles (example admin, regular, member,.. )
Use the official CakePHP authentication plugin and extend the LDAP adapter with the additional code check you need. This is very easy to do and also a very clean way of solving the problem. Disclaimer: I'm one of the authors of the authentication plugin. https://github.com/cakephp/authentication
Or if you want to stay agnostic to any framework, use my library that is based on the authentication plugin and was decoupled from any framework but still works just nice with Cake https://github.com/Phauthentic/authentication.
I have been working on a project using php with laravel for a week now, I just want to make sure I am following the best practices.
I really like the idea of Resource controllers and CRUD, they make sense and I chose to follow this approach. However, should I be using them on a model where different users have different access rights on it?
suppose I have different types of users (user, admin, agent) that have different access rights on the same models. Which of the following approaches is more appropriate for this case?
Create a normal controller for each user type along with its middleware that authorizes the access to this controller. Then add a route to that controller with that middleware.
Create a resource controller for each resource (model), create a route group for each user type containing all routes for this user type from the defined controllers along with a middleware for this route group.
In other words, where both of the following are possible, should controllers definition be based on user type or resources themselves?
Personally I name my controllers based on the resources and then handle the roles/user types via middlewares
Let's begin by saying that my model classes are User and Entries.
I've read the following tutorial: http://book.cakephp.org/2.0/en/tutorials-and-examples/simple-acl-controlled-application/simple-acl-controlled-application.html and I see they use an extra model called Group in order assign a role to users.
What is different in using a Group model, instead of a role attribute in User (User.role = 'admin')
What is the difference in adding Group to the ARO instead of adding User to the ARO, and then using an alias.
If I implement ACL, does that means I no longer need admin routing?
PD: I am new to ACL list, I have always authorized actions using a something like if($user['role'] == 'admin').
These are two different ways of handling authentication. If you only have a few controllers and one or two admins, you'll probably be fine with using the User.role method you have now. If you have multiple controllers and various users who should have access to different sections of your site, you should use ACL.
You don't need to create Groups to use ACL, but it makes life a lot easier. Instead of assigning permissions for dozens of different users, you can create two or three groups, set the permissions for those groups, and then assign each user to one of the groups. Then, if you ever need to add a new controller -- or even a new view -- you only have to do that at the group level, instead of for each user. (Take a look at this demo. Now imagine that you have another 10 controllers/50 actions and you have to set those permissions for 20 or 30 users instead of for 4 groups.) Of course, even if you are setting permissions at the Group level, you could always override them at the User level if you need to.
Admin routing is separate from ACL. Routing just controls the URLs you can use to get to pages. (See Cake PHP - Prefix Routing. You can use ACL control without admin routing, and you can use admin routing without ACL control.
I want to provide specified actions for different role in Symfony 1.4 project.
Project contains several database tables which values can be modified only by certain roles.
For example, an administrator gains access to CRUDs for all models.
Another role (let it be a consultant) can only retrieve (not modify or remove) results from specified models (not all).
How can I support such a feature in symfony?
I assume that roles for the project will be specified in advance.
One solution I was thinking about is creating modules and actions for each role separately (crud panels + one logging interface), but it sounds like a huge job.
Just wondering what the smarter way is.
I think the best way to achieve that is definitively credentials (it is for sf1.2 but ok for 1.4).
I recommend you to use sfGuardDoctrine to use some groups with associated permissions (which are credentials). You define a group admin, consultant, etc .. You associate some credentials, like modifiy, remove, create, edit, etc ..
And then, every time a user will log in, it will automatically have defined credentials (associated to him or by his group).
After, you have to check for every action if the user has can perform it:
if($this->getUser()->hasCredential('modify'))
{
// authorized action
}
Here is some more documentation for sfGuard (related to sf1.0 but it is good to understand how it works).
I am trying to create a login system thats generic so that it can be adapted for use in various apps. I decided that 2 main "parts" of the system will be User Meta Data & Roles/Resources/ACL.
1. Metadata
I thought of keeping most data like what meta data are available for users in the database, so that admins can manage them using some GUI.
Problem is how can I then configue how I want inputs to render (textbox, checkbox, radios etc.). Then another problem is validation, filters.
2. ACL
I think for simple ACL it will work fine. But suppose I want say users to be able to modify posts they own. In Zend_ACL that is accomplished with Assertions. I thought that will make a "simple" login system overlly complex? Also it will be hard to build I suppose?
Currently I have my database like
Logging in users: I recommend using a separate controller (call it Auth for instance) that has loginAction and logoutAction. Zend_Auth (Zend_Auth using database) will check the database for the right credentials. Once the user is verified, you will save it in the global accessible place(the Zend_Auth class has methods to do this). This is also a good moment to query which roles the user has and store them.
Metadata part of your application: I'm not sure what the question is exactly but I assume you want to store dynamic information about user and have a GUI for admins to manage this. Why you would render different types of controls? Validating the information can be done by defining a lot of the most common metadata (like Twitter) and create rules for them. In the save action for the metadata you would validate using these rules.
ACL: Resources rarely change, you are better off putting them in a configuration file (for speed). You should give a lot thought to resources: what are they exactly to you? Controllers? Modules? Create a plugin that will preDispatch every request checking the role of the logged in user against the requested resource. E.g.:
$action = $request->getActionName();
$controller = $request->getControllerName();
// role, resource, privilage
if (!$acl->isAllowed($user->role, $controller, $action) {
//go to access denied page!
}
Now that Zend_ACL is used for the global access rules, you are better off checking for specific access inside the action itself (like if ($loggedInUser == $article->author) {//edit the article};).
Also don't forget Zend_ACL can be integrated with Zend_Navigation to hide menu items users are not allowed to use (and more).