Is there any open-source, PHP based, role-based access control system that can be used for CodeIgniter?
Maybe I'm misunderstanding the question, but isn't the whole point of Role-Based Access Control (RBAC) to avoid Access Control Lists (ACLs)?
RBAC differs from access control lists (ACLs) (...) in that it assigns permissions to specific operations with meaning in the organization, rather than to low-level data objects. For example, an access control list could be used to grant or deny write access to a particular system file, but it would not say in what ways that file could be changed. In an RBAC-based system, an operation might be to create a 'credit account' transaction in a financial application (...). The assignment of permission to perform a particular operation is meaningful because the operations are fine-grained and themselves have meaning within the application.
(Quote: Wikipedia)
I don't know the specifics on Zend_ACL or the other implementations mentioned, but if they are ACL-based, I would not recommend using them for role-based authorization.
Brandon Savage gave a presentation on his PHP package "ApplicationACL" that may or may not accomplish role-based access. PHPGACL might work as well, but I can't tell you for sure.
What I can tell you, however, is the Zend_ACL component of the Zend Framework will do role-based setups (however you'll have to subclass to check multiple roles at once). Granted the pain of this is you'll have to pull out Zend_ACL, I do not believe it has any external dependencies, from the monolithic download (or SVN checkout).
The nice thing about Zend_ACL is though its storage agnostic. You can either rebuild it every time or it's designed to be serialized (I use a combination of both, serialize for the cache and rebuild from the DB).
I created an Open Source project called PHP-Bouncer which may be of interest to you. It's still fairly young, but works well and is easy to configure. I ended up developing it because none of the existing solutions seemed to meet my needs. I hope this helps!
phpgacl http://phpgacl.sourceforge.net/ is a generic acl based access control framework
while I don't know about any CI specific implementation, i know that you only need the main class file to make phpgacl work. So i belive that integration with CI won't be any problem. (I've work passingly with CI)
Here are two RBAC libraries for PHP I found:
https://github.com/leighmacdonald/php_rbac
https://github.com/brandonlamb/php-rbac
I actually used the first one in PolyAuth: https://github.com/Polycademy/PolyAuth/
It's a full featured auth library that includes NIST level 1 RBAC. And yes, RBAC is not the same as an ACL. I use Codeigniter as well, all you have to do is use the PDO driver and pass in the connection id. See this tutorial for how to do that: http://codebyjeff.com/blog/2013/03/codeigniter-with-pdo
Found out about Khaos ACL which is a CI library... I'm also checking out phpgacl and how to use it for CI... Have'nt checked Zend ACL yet. But maybe it can be "ported" to CI
Try DX_Auth plugin for CodeIgniter. I am working on a similar (rather, superset) of the functions that DX_Auth have. My set of CI addon's include display of menus (that can be controlled via CSS), Role-bases access controll before controller is invoked and other features. I hope to publish it soon. Will give project URL when I do so
RBAC != ACL - Roland has the only correct answer for this question.
BTW of course it is an essential part of a framework to implement any kind of permission system - at least there is no point in using a framework, if it does not give you a well engeneered RBAC system - it might be better using a simple template system with any ORM layer then.
It is a common antipattern in the php world, that frameworks like Ruby or Django are "cloned" only as a subset of what these modern frameworks deliver - as a typical syndrome yuo see a lack of good ACL or RBAC integration into these frameworks - what essentially is a joke.
There is currently only the Yii PHP Framework that comes with a decent RBAC implementation.
I know the trail is cold, but a new project has popped up :
PHP-RBAC is a PHP Hierarchical NIST Level 2 Standard Role Based Access Control and is pretty mature. It is also an OWASP project.
I hope you enjoy it at http://phprbac.net
http://www.jframework.info (deadlink)
jFramework has a standard NIST level 2 RBAC with enhancements which is said to be the fastest available (includes benchmarks) it can operate on a single SQLite database file and is tested thoroughly, works like a glove.
Has a dependency on jFramework DBAL but you can simple replace DBAL SQL Queries in the code with your desired DBAL and of course you can use jFramework in a SOP manner.
Ion Auth Library uses users and groups - https://github.com/benedmunds/CodeIgniter-Ion-Auth
but there are no working RBAC system to use them and manage. But you can white your functions.
Related
Is it possible to use Laravel alongside another php application not built with a framework just for the login/authentication system?
Looking at other posts, I realize that's not the point of php frameworks, but my thought was for maximum security, using a framework would be best.
It's entirely feasible, yes. Especially if said application was properly classed and namespaced.
If it's not classed / namespaced, that rules out simply including it in Laravel. That'd likely be way more headache than it's worth.
In terms of security, there are a lot of routes you can go. In fact, there are authentication websites that take user information completely off of your hands. It may be worth looking into them.
The easiest solution would be to either find a class or library that is dedicated to authentication, and simply include it in your application (example here: http://ulogin.sourceforge.net/ or simply search for PHP Authentication Library). They're framework agnostic, and will be very simple to integrate into your project.
The bottom line is, you probably want something that's agnostic to frameworks / coding architectures. That'll be the easiest to integrate into a custom project.
I am currently exploring Zend_Auth, part of Zend Framework, but am dissapointed with the lack of more advanced features such as nonces, authentication tokens, lock-out, etc. In one of my recent projects, I implemented an authentication and ACL (Access Control List) scheme that has the following features:
Salted hashes
Automatic IP address lockout
Nonces (several types)
Authentication tokens (which persist for the entire session)
It would be great if I could abstract this functionality and make a reusable authentication class, but I was curious about whether a feature-rich authentication module already existed, so I could save myself the work. If not, I will most definitely do that.
I suppose my questions is this: What (database-based) authentication module/scheme are you currently using, and are you happy with its features? Specifically, is anyone using one that supports the features I listed above?
I look forward to your responses.
Funny thing, I was going to answer "Zend Framework!" when I saw this question. I guess that you are already using that.
I've done a lot of what you are doing using ZF as well. True that it is not all made for you, but the parts are there. Honestly, if it was already put together, it would not be flexible and not apply to many use cases. I'd rather make it suit the app I'm building, rather than build my app around it. You can make your code into library and include that with your other ZF apps.
I'd be interested in other options as well though.
I'm new to Symfony. Is my understanding correct that the User class is actually for controlling sessions? But is there built-in login and account creation? I'm not finding it. But if there's an admin backend generator, how can it function without user logins?
Not sure what version of Symfony you're using, but login and account creation is typically incorporated into an application using either the sfGuardPlugin (for Propel) or sfDoctrineGuardPlugin (for Doctrine).
For Symfony v1.2, see Day 13 of the Jobeet tutorial to get started.
The myUser.class.php file is the session controller/storage, yes. You can create your own security module if you wish, but many use the plugins mentioned in nselikoff's answer. They're not perfect but they do a decent job. Whichever ORM use, you should definitely start with one of these plugins, and extend/improve them if you need too.
Your admin generator modules are not secured by default, no - it is up to you to implement a security layer. As an aside, don't think of admin-generated modules as exclusively for a backend/backoffice purpose, as there may be some reason for a frontend app to require one. Certainly a system you use internally at your company or at home on a local webserver doesn't need a security layer to function.
Changing the security.yml file to secure an app, module or action requires you to specify the login page in your app's settings.yml, but the security plugins will help you configure this.
Apart from what others have said, I find very useful the source code from symfonians, that resolves all these problems: http://symfonians.org/
Quite simply, it of course makes good sense to group parts of an application into appropriate modules.
Commonly, keeping these modules decoupled is not an issue, however it often arrises that data from the a user management module is required by other components.
It is substantially less than ideal by normal principles that these client modules would have knowledge of the user module's internal classes etc, which brings me to the question of how this cross-module communication is best architected.
My thoughts thus far are that a module could have a conventionally-named API class via which other modules could 'query' the module. This approach will still lead to a certain dependency, but at least only on the other module/its API.
Your thoughts on this would be greatly welcomed.
Thanks in advance,
James
You could call the user module a "library". This terminology change can help clarify which modules are supposed to be top-level, and which ones manage lower-level activities that are intended to be used by multiple other modules. The CodeIgniter PHP framework uses this approach.
Well, "module" is extremely vague - exactly what defines a module can vary greatly from system to system.
I'm actually confused by exactly what type of scenario you're trying to avoid. It's not uncommon at all for two classes or groups of classes to communicate with eachother. That's why we have stuff like interfaces in the first place.
I guess in your scenario you could have a controller-like class (as in the C from MVC) in between your modules that would know the guts of each and could serve as a communication bridge.
You might want to read up on "dependency injection". Symfony Components offers a solution for Dependency Injection and has lots of good reading/examples on the subject.
I know questions like this have been asked numerous times, but not quite this one. Forgive me if I overlooked an obvious duplicate.
In the core of many of my web applications is a self-written user/session management class that in its origins dates back to 2002.
I have decided that it is time for a fundamental re-write or, preferably, the introduction of a ready-made standard library.
My requirements for that library would be:
Object oriented, clean, excellent code
Full session management: Wrapper to session_start() and consorts
Would ideally provide various storage methods (PHP Standard /tmp, database based)
Would ideally be able to connect to different types of user data storage, but mySQL will do fine
Would ideally provide convenient functions for supporting OpenID, but that's a fancy thought, no requirement right now
Methods: Verify session, get user data, get session data, log in user, log out user
Settings: Session lifetime, password encryption
Must be Open Source
And if it's very generic, a user management API or a generic connector to the user management of the surrounding application would be nice:
Create/Update/delete user records
Fetch and modify data of currently logged in user
this is so basic, and so security relevant, that I would expect that there is a standard solution to this, however I don't know of any, and all the big CMSs and blogs seem to be rolling their own.
My two questions:
Do you know such a component as a generic, stand-alone library?
Could somebody with deep knowledge in Zend Framework tell me whether it is possible to use Zend_auth and/or Zend_session standalone, at the core of a big application that has otherwise nothing to do with ZF, without running in to trouble?
May I suggest the authentication library that I have written? It is a generic library (not written for or part of a framework): http://ulogin.sourceforge.net
Could somebody with deep knowledge in Zend Framework tell me whether it is possible to use Zend_auth and/or Zend_session standalone, at the core of a big application that has otherwise nothing to do with ZF, without running in to trouble?
I don't have deep knowledge of the Zend Framework, but I have used various components (e.g. Zend_Search) without creating a Zend_Application object or using the MVC framework and I am sure the rest of the library is also designed to be totally modular. Last time I dug though the Zend_Session code, I didn't find any includes outside Zend/Session/. A quick google seemed to confirm this for Zend_Auth, along with the Zend FAQ which states:
Is ZF a component library or a framework?
Simple answer: both. Zend Framework provides all the components required for most web applications in a single distribution. But Zend Framework components are also loosely coupled, making it easy to use just a few components in a web application- even alongside other frameworks! Using this use-at-will architecture, we are implementing features commonly found in more monolithic frameworks. In fact, we are currently working on a tooling component for the 1.8 release that will make it simpler to build applications using ZF components, yet will not sacrifice the use-at-will nature of existing ZF components. It's a testament to the use-at-will architecture of Zend Framework that the tooling component itself can be used standalone.
The only thing I had to do when not using Zend_Search with the MVC framework was add the directory where you installed the Zend Framework to the include path due to the includes in the Zend library. The documentation doesn't document the includes you need when not using the Zend Autoloader, but as everything uses the PEAR class naming scheme, it is easy to deduce from the class names you are using. (so the class Foo_Bar_File would require you to include Foo/Bar/File.php )
There are several OpenID libraries available.
http://wiki.openid.net/Libraries#php
For the rest you might as well roll your own, since figuring out someone else's library would probably be more trouble than it's worth.
My understanding is that there is no standard library because there is no standard definition of what a user is.
In some of my applications, users simply log in to do stuff. In others, users are part of a company and their permissions and data access are limited by the limits of that company and the subscription level paid for by the company. In other applications, some users are admins with access to everything, some users are admins with access to some data (row level), and other users are the clients of those admins, with access only to their own data. Some users are tied to firms/companies/customers, other users are not. Some users are just a username and password, others are a large object graph with clients, order histories, report preferences, comments, etc.
Maybe I'm wrong and there's some clean way of abstracting all of those requirements into a system that doesn't require five layers of subclassing and a thousand DB hits to log someone in. I haven't found it though.