Page 1 of 1

implementing access control

Posted: Wed Dec 16, 2009 8:11 pm
by daedalus__
hey i was just wondering what you guys are doing to implement access control. i was kind of having an idea because of the thread that onion posted where you could base36 (or hash i guess :drunk: ) all pages or all applicable pages then assign permissions based on this list.

i was also kind of having ideas about groups or something. should groups be related? parents, children? grand uncles? should there be or be room for a hierarchy or should i use something more like a partially ordered list?

thoughts? insults? anything?

Re: implementing access control

Posted: Wed Dec 16, 2009 9:17 pm
by daedalus__
hey this article is kind of neat though

http://www.tonymarston.net/php-mysql/ro ... ntrol.html

Re: implementing access control

Posted: Wed Dec 16, 2009 9:19 pm
by s.dot
Well, this is actually a very interesting topic.

I currently do something that is probably not very widely done when people create controls. I assume you are talking about something like an administrator section although I suppose it could apply to a user section as well.

I group the tasks, eg.. site management, emailing, user managerment, etc.

Then I create an admins class and allow access like so:

Code: Select all

if ($admins->isSiteAdmin())
{
   //allow access
} else
{
   //deny access
}
This class would have all of the grouped by methods such as isSiteAdmin(), isEmailAdmin(), isUserAdmin() - with the database having 1/0 flags for the administrators permissions.

Of course, I also add in the ability to specify certain pages that can be accessed/restricted even if an admin is in or not in the specified group.

May seem sort of weird.. but it has worked for me well.

Re: implementing access control

Posted: Wed Dec 16, 2009 9:43 pm
by daedalus__
i agree, it is. there are a lot of options even when trying to keep it simple.

that would be an implementation of group based access control wouldn't it?

i am talking about an administration section i guess but its more like... access control. not really who can access the administration section of the site because it won't really be like a separate entity. but there will be editors who are allowed to edit important or major sections of the site. like artist/album/song descriptions, reviews, front page blogs. but then there will also moderators of the forums, people responsible for maintenance, users, dada dada.

right now im designing the data model for this website trying to figure out what the advantages and disadvantages of different systems would be. and trying to put names to concepts that i come up with :P

someone may be an editor but also may be the moderator of forums, now they could be members of both groups, or they could be granted permissions to perform the specified actions, or they could be granted permissions to perform the actions associated with speficic groups.

but then what if there is a special member who has permissions for some things or other things? then you'd need rbac. it's a complicated subject for sure. like maybe they can edit an article but not delete it then delete forum posts but not threads and no permissions for edits. whats an efficient but scalable way to implement these sorts of permissions?

we could store two lists? one based on actions and one based on groups?

and even when you decide on an system the data model could be speficied in many different ways.

i'll write more when i sober up but right now i dont think its a good idea. love to talk about it though :)

Re: implementing access control

Posted: Wed Dec 16, 2009 9:49 pm
by s.dot
I guess I forgot to mention. The group based permissions I implement also have task-specific flags. Like my isEmailAdmin() method may allow access to that section, but I could flag that specific admin not to be able to send a mass email to subscribers.

I guess, if I implemented it correctly, the table structure would look like:

`site`.`access_groups` (general grouping flags)
`site`.`access_groups_tasks` (task-specific grouping flags)

With a specified user belonging to a group, and having permission based access on the tasks.

Of course, this solution is not easily scalable.. so I'm looking forward to further input as well!

EDIT| I pretty much typed what you just did. :crazy:

Re: implementing access control

Posted: Wed Dec 16, 2009 9:50 pm
by josh
I just use Zend_Acl. I think using "pages" to identify resources is a mistake. I like MVC because each logical action is a module+controller+action (and add to that whatever parameters are needed to uniquely identify the resource)

Re: implementing access control

Posted: Mon Dec 21, 2009 8:51 pm
by Griven
I primarily develop for a Windows-based intranet, so I have (in my opinion) the luxury of dealing with Integrated Windows Authentication. I couple that with adLDAP to gather the user's groups from Active Directory and store them in the SESSION array. To flesh that out, I created a custom function to check whether or not a user is a member of a specified group, and return either true or false. It works much the same as Scottayy's method.

Code: Select all

$groups = array('Managers','Directors');
if ($auth->groupCheck($groups)){
  //Sooper-seekrit stuff
} else {
  //Not-so-sooper-seekrit stuff or a 403 redirect
}