I'm new to Symfony. Is my understanding correct that the User class is actually for controlling sessions? But is there built-in login and account creation? I'm not finding it. But if there's an admin backend generator, how can it function without user logins?
Not sure what version of Symfony you're using, but login and account creation is typically incorporated into an application using either the sfGuardPlugin (for Propel) or sfDoctrineGuardPlugin (for Doctrine).
For Symfony v1.2, see Day 13 of the Jobeet tutorial to get started.
The myUser.class.php file is the session controller/storage, yes. You can create your own security module if you wish, but many use the plugins mentioned in nselikoff's answer. They're not perfect but they do a decent job. Whichever ORM use, you should definitely start with one of these plugins, and extend/improve them if you need too.
Your admin generator modules are not secured by default, no - it is up to you to implement a security layer. As an aside, don't think of admin-generated modules as exclusively for a backend/backoffice purpose, as there may be some reason for a frontend app to require one. Certainly a system you use internally at your company or at home on a local webserver doesn't need a security layer to function.
Changing the security.yml file to secure an app, module or action requires you to specify the login page in your app's settings.yml, but the security plugins will help you configure this.
Apart from what others have said, I find very useful the source code from symfonians, that resolves all these problems: http://symfonians.org/
Related
I am supporting a site built on symfony. There were problems regarding some kind of "admin page".
While not knowing much about the whole thing by reading the logs and comparing recent backups I think I was able to fix the issue (some developer removed a route, but did not fix a template).
I do not have admin password to the site, but have root access to the server and super access to the database (in this case postgres).
Can you help me how to create myself an account without knowing the current passwords?
Disclaimer: I do not have much knowledge with PHP's OOP interface as I am not a programmer, but a sysadmin.
Edit:
symfony version 1.0.16
Try logging into the server and changing into the Symfony project's root directory. There's probably a "symfony" script/link there (the details depend on your OS and how Symfony's set up; you might be able just to run ./symfony rather than needing php symfony). Run this to see whether this basics are working:
php symfony
If that works, you should get a list of possible tasks you can do. If you're using the sfGuardPlugin, you should see some tasks like guard:create-user.
To get more information on a task, try something like:
php symfony help guard:create-user
But basically, assuming a fairly modern Symfony installation and plugin, try something like:
php symfony guard:create-user --env=prod newusername newpassword
(the --env=prod option creates the user in the production environment, which is probably what you want.)
If there are super-user-only tasks you want to do, try also doing this:
php symfony guard:promote newusername
That will give the new user super-admin privileges.
You'll probably also find a guard:change-password task which will simply reset the password for a given user.
I ended up editing the file named:
plugins/sfGuardPlugin/lib/validator/sfGuardUserValidator.class.php
this is where the authentication takes place.
I added a few lines to bypass the actual password check for an already created user.
I am currently exploring Zend_Auth, part of Zend Framework, but am dissapointed with the lack of more advanced features such as nonces, authentication tokens, lock-out, etc. In one of my recent projects, I implemented an authentication and ACL (Access Control List) scheme that has the following features:
Salted hashes
Automatic IP address lockout
Nonces (several types)
Authentication tokens (which persist for the entire session)
It would be great if I could abstract this functionality and make a reusable authentication class, but I was curious about whether a feature-rich authentication module already existed, so I could save myself the work. If not, I will most definitely do that.
I suppose my questions is this: What (database-based) authentication module/scheme are you currently using, and are you happy with its features? Specifically, is anyone using one that supports the features I listed above?
I look forward to your responses.
Funny thing, I was going to answer "Zend Framework!" when I saw this question. I guess that you are already using that.
I've done a lot of what you are doing using ZF as well. True that it is not all made for you, but the parts are there. Honestly, if it was already put together, it would not be flexible and not apply to many use cases. I'd rather make it suit the app I'm building, rather than build my app around it. You can make your code into library and include that with your other ZF apps.
I'd be interested in other options as well though.
I have to develop frontend/backend application using cakephp.
can you give me advice how should i develop them, using same cakephp library?
or I have to develop them using separate cakephp libraries?
I am confused - cakePHP would be used to implement both.
PHP would be used to implement the server-side backend. The same "project" would also contain HTML, JS, CSS, etc that will be used to render the front-end within the browser. Any PHP "views" will also execute code on the back-end, although any HTML output will be rendered on the frontend.
Does that help at all? Or am I missing something?
If by frontend/backend, you mean an application with a user interface (frontend) and an administration interface (backend), then you want to refer to the Prefix Routing section of the manual. This will allow you to have separate flow and interfaces (controller/view) for each type of user while sharing the same data (models).
If by frontend/backend, you mean an application (frontend) that communicates with another server application (backend) using web services, then you want to look at the Additional Class Paths section of the manual. This will allow you to share common classes with two (or more) separate applications.
Note: the above links are for CakePHP 3.x, though these features have existed in one form or another since v1.2.
Not quite sure if I understood you correct, but if I did:
You can set up multiple projects using the same cake-core files. The core files don't even need to be placed in the webroot folder..
http://book.cakephp.org/view/35/Advanced-Installation
For your own sanity, you should regard the backend management as part of the same project as the frontend.
The systems I have built generally use view-type methods for the public view and crud-type methods for the admin view. How you lock down the admin is your choice. Personally I don't like the default admin prefix way. I use login and ACL - Mark Story's tutorial on http://book.cakephp.org/ is superb. With that you can password protect methods.
CakePHP is very flexible and extensible and you can make the administration as simple or as flexible as you like.
I know questions like this have been asked numerous times, but not quite this one. Forgive me if I overlooked an obvious duplicate.
In the core of many of my web applications is a self-written user/session management class that in its origins dates back to 2002.
I have decided that it is time for a fundamental re-write or, preferably, the introduction of a ready-made standard library.
My requirements for that library would be:
Object oriented, clean, excellent code
Full session management: Wrapper to session_start() and consorts
Would ideally provide various storage methods (PHP Standard /tmp, database based)
Would ideally be able to connect to different types of user data storage, but mySQL will do fine
Would ideally provide convenient functions for supporting OpenID, but that's a fancy thought, no requirement right now
Methods: Verify session, get user data, get session data, log in user, log out user
Settings: Session lifetime, password encryption
Must be Open Source
And if it's very generic, a user management API or a generic connector to the user management of the surrounding application would be nice:
Create/Update/delete user records
Fetch and modify data of currently logged in user
this is so basic, and so security relevant, that I would expect that there is a standard solution to this, however I don't know of any, and all the big CMSs and blogs seem to be rolling their own.
My two questions:
Do you know such a component as a generic, stand-alone library?
Could somebody with deep knowledge in Zend Framework tell me whether it is possible to use Zend_auth and/or Zend_session standalone, at the core of a big application that has otherwise nothing to do with ZF, without running in to trouble?
May I suggest the authentication library that I have written? It is a generic library (not written for or part of a framework): http://ulogin.sourceforge.net
Could somebody with deep knowledge in Zend Framework tell me whether it is possible to use Zend_auth and/or Zend_session standalone, at the core of a big application that has otherwise nothing to do with ZF, without running in to trouble?
I don't have deep knowledge of the Zend Framework, but I have used various components (e.g. Zend_Search) without creating a Zend_Application object or using the MVC framework and I am sure the rest of the library is also designed to be totally modular. Last time I dug though the Zend_Session code, I didn't find any includes outside Zend/Session/. A quick google seemed to confirm this for Zend_Auth, along with the Zend FAQ which states:
Is ZF a component library or a framework?
Simple answer: both. Zend Framework provides all the components required for most web applications in a single distribution. But Zend Framework components are also loosely coupled, making it easy to use just a few components in a web application- even alongside other frameworks! Using this use-at-will architecture, we are implementing features commonly found in more monolithic frameworks. In fact, we are currently working on a tooling component for the 1.8 release that will make it simpler to build applications using ZF components, yet will not sacrifice the use-at-will nature of existing ZF components. It's a testament to the use-at-will architecture of Zend Framework that the tooling component itself can be used standalone.
The only thing I had to do when not using Zend_Search with the MVC framework was add the directory where you installed the Zend Framework to the include path due to the includes in the Zend library. The documentation doesn't document the includes you need when not using the Zend Autoloader, but as everything uses the PEAR class naming scheme, it is easy to deduce from the class names you are using. (so the class Foo_Bar_File would require you to include Foo/Bar/File.php )
There are several OpenID libraries available.
http://wiki.openid.net/Libraries#php
For the rest you might as well roll your own, since figuring out someone else's library would probably be more trouble than it's worth.
My understanding is that there is no standard library because there is no standard definition of what a user is.
In some of my applications, users simply log in to do stuff. In others, users are part of a company and their permissions and data access are limited by the limits of that company and the subscription level paid for by the company. In other applications, some users are admins with access to everything, some users are admins with access to some data (row level), and other users are the clients of those admins, with access only to their own data. Some users are tied to firms/companies/customers, other users are not. Some users are just a username and password, others are a large object graph with clients, order histories, report preferences, comments, etc.
Maybe I'm wrong and there's some clean way of abstracting all of those requirements into a system that doesn't require five layers of subclassing and a thousand DB hits to log someone in. I haven't found it though.
Is there any open-source, PHP based, role-based access control system that can be used for CodeIgniter?
Maybe I'm misunderstanding the question, but isn't the whole point of Role-Based Access Control (RBAC) to avoid Access Control Lists (ACLs)?
RBAC differs from access control lists (ACLs) (...) in that it assigns permissions to specific operations with meaning in the organization, rather than to low-level data objects. For example, an access control list could be used to grant or deny write access to a particular system file, but it would not say in what ways that file could be changed. In an RBAC-based system, an operation might be to create a 'credit account' transaction in a financial application (...). The assignment of permission to perform a particular operation is meaningful because the operations are fine-grained and themselves have meaning within the application.
(Quote: Wikipedia)
I don't know the specifics on Zend_ACL or the other implementations mentioned, but if they are ACL-based, I would not recommend using them for role-based authorization.
Brandon Savage gave a presentation on his PHP package "ApplicationACL" that may or may not accomplish role-based access. PHPGACL might work as well, but I can't tell you for sure.
What I can tell you, however, is the Zend_ACL component of the Zend Framework will do role-based setups (however you'll have to subclass to check multiple roles at once). Granted the pain of this is you'll have to pull out Zend_ACL, I do not believe it has any external dependencies, from the monolithic download (or SVN checkout).
The nice thing about Zend_ACL is though its storage agnostic. You can either rebuild it every time or it's designed to be serialized (I use a combination of both, serialize for the cache and rebuild from the DB).
I created an Open Source project called PHP-Bouncer which may be of interest to you. It's still fairly young, but works well and is easy to configure. I ended up developing it because none of the existing solutions seemed to meet my needs. I hope this helps!
phpgacl http://phpgacl.sourceforge.net/ is a generic acl based access control framework
while I don't know about any CI specific implementation, i know that you only need the main class file to make phpgacl work. So i belive that integration with CI won't be any problem. (I've work passingly with CI)
Here are two RBAC libraries for PHP I found:
https://github.com/leighmacdonald/php_rbac
https://github.com/brandonlamb/php-rbac
I actually used the first one in PolyAuth: https://github.com/Polycademy/PolyAuth/
It's a full featured auth library that includes NIST level 1 RBAC. And yes, RBAC is not the same as an ACL. I use Codeigniter as well, all you have to do is use the PDO driver and pass in the connection id. See this tutorial for how to do that: http://codebyjeff.com/blog/2013/03/codeigniter-with-pdo
Found out about Khaos ACL which is a CI library... I'm also checking out phpgacl and how to use it for CI... Have'nt checked Zend ACL yet. But maybe it can be "ported" to CI
Try DX_Auth plugin for CodeIgniter. I am working on a similar (rather, superset) of the functions that DX_Auth have. My set of CI addon's include display of menus (that can be controlled via CSS), Role-bases access controll before controller is invoked and other features. I hope to publish it soon. Will give project URL when I do so
RBAC != ACL - Roland has the only correct answer for this question.
BTW of course it is an essential part of a framework to implement any kind of permission system - at least there is no point in using a framework, if it does not give you a well engeneered RBAC system - it might be better using a simple template system with any ORM layer then.
It is a common antipattern in the php world, that frameworks like Ruby or Django are "cloned" only as a subset of what these modern frameworks deliver - as a typical syndrome yuo see a lack of good ACL or RBAC integration into these frameworks - what essentially is a joke.
There is currently only the Yii PHP Framework that comes with a decent RBAC implementation.
I know the trail is cold, but a new project has popped up :
PHP-RBAC is a PHP Hierarchical NIST Level 2 Standard Role Based Access Control and is pretty mature. It is also an OWASP project.
I hope you enjoy it at http://phprbac.net
http://www.jframework.info (deadlink)
jFramework has a standard NIST level 2 RBAC with enhancements which is said to be the fastest available (includes benchmarks) it can operate on a single SQLite database file and is tested thoroughly, works like a glove.
Has a dependency on jFramework DBAL but you can simple replace DBAL SQL Queries in the code with your desired DBAL and of course you can use jFramework in a SOP manner.
Ion Auth Library uses users and groups - https://github.com/benedmunds/CodeIgniter-Ion-Auth
but there are no working RBAC system to use them and manage. But you can white your functions.