Page 3 of 20

Posted: Thu May 18, 2006 7:06 am
by santosj
Ambush Commander wrote:Code will appear some time. I plan on writing the thing in pencil first.
You're hardcore! Unless you mean UML or just prototype functions, which I also do from time to time. Except when I code by the seat of my pants which is more often than not.

In the second code, you don't give what Filter is, so there is no way to know what code you are extending.

I like the PHP 5 model because it gives you the option of SPL, interfaces, abstraction, and visibility scope. You also get rid of the pointless &= when passing by reference. In PHP 5 classes are automatically passed by reference. It is up to you if you want to clone them.

My Input

I believe it should be more of a Factory or Singleton model. That said, the ACL can be a separate abstract class that can be extended or an Interface.

I can see there is a plugin usage for the second example, but why? What purpose does it have?

Posted: Thu May 18, 2006 3:04 pm
by Ambush Commander
You're hardcore! Unless you mean UML or just prototype functions, which I also do from time to time. Except when I code by the seat of my pants which is more often than not.
Your "unless" is correct. Although I never really formally learned UML. I'm not that hardcore. :roll:
In the second code, you don't give what Filter is, so there is no way to know what code you are extending.
Ah... there are a lot of missing components, but I though it would be clear enough. The filter is fairly simple:

Code: Select all

<?php

//McGruff seems to think that InterceptingFilters are bad... and I'm starting
//to think that way too. But we need a controller first.
class Filter
{
    
    //Always good to have a base class!  It doesn't do much
    
    var $_registry;
    
    function Filter() {}
    function execute(&$registry) {
        $this->_registry =& $registry;
    }
    
}

?>
And this code executes the filters:

Code: Select all

<?php

class FilterChain
{
    
    var $_filters = array();
    
    function FilterChain() {
        $this->addFilter(new Filter_Registration());
        $this->addFilter(new Filter_Authentication());
    }
    
    function addFilter(&$obj) {
        $this->_filters[] =& $obj;
    }
    
    function processFilter(&$registry) {
        $size = sizeof($this->_filters);
        for($i = 0; $i < $size; $i++) {
            $this->_filters[$i]->execute(&$registry);
        }
    }
    
}

?>
I like the PHP 5 model because it gives you the option of SPL, interfaces, abstraction, and visibility scope. You also get rid of the pointless &= when passing by reference. In PHP 5 classes are automatically passed by reference. It is up to you if you want to clone them.
Since we're really trying to design something beautiful rather than get something that will work on most PHP4 hosts, and plus, the host that I'm currently on gives me PHP 5 (although admittedly an old version: 5.0.4), we'll go PHP5. (I need practice in PHP5 anyway). However, we're still giving a keen eye to reusability and packagability.
I believe it should be more of a Factory or Singleton model.
Singletons, hmm... that would work like...

Code: Select all

class PropagateAuthWithSingleton implements PropagateAuthInterface
{
    public function propogate($user_id) {
        $singleton = Singleton::getInstance();
        $singleton->setCurrentUser($user_id);
    }
}
That said, the ACL can be a separate abstract class that can be extended or an Interface.
I guess I won't be able to get away with telling you people not to worry about the access control just yet.
I can see there is a plugin usage for the second example, but why? What purpose does it have?
It's more of a unit testing thing. By seperating the call to the dependency to another function, we always have the option of injecting a mock by partial mocks (SimpleTest is good reading for this, see: http://www.lastcraft.com/partial_mocks_ ... tation.php )

--

So I've been sketching out a nebulous "Authentication Module" and the things it would have to interact with some way or another (even if it's through another layer).

* $_POST superglobal, which interacts with the login form
* $_SESSION superglobal
* Database with password, which interacts with user preferences to change passwords/emails and registration (registration, in turn, interacts with email for validation)
* Application context (sometimes bleeding in with $_SESSION) (interacts with Authorization)

We want to implement all these things, but anything outside the core should be able to be overloaded.

Posted: Thu May 18, 2006 3:24 pm
by santosj
Oh sweet, once this is finished it should be pretty awesome. I may just use it... maybe.

Posted: Thu May 18, 2006 3:53 pm
by alex.barylski
I hope so...because 26 votes is really nutts :P

Posted: Thu May 18, 2006 4:19 pm
by Chris Corbyn
Hockey wrote:I hope so...because 26 votes is really nutts :P
The stats have surprised me that's for sure.

Posted: Thu May 18, 2006 4:27 pm
by alex.barylski
d11wtq wrote:
Hockey wrote:I hope so...because 26 votes is really nutts :P
The stats have surprised me that's for sure.
For real...out of all the polls I have ever submitted (not just this forum) I have never seen a unanimous outcome...

p.s-Is there anyway we can change the poll from what it is, to say...

Is Hockey a pure genius?
- Of course
- Nope
- Not even
- Quite the oppsoite

Har har har...man the fun I would have if I had admin control...


Is there any know SQL injection attacks in the phpBB software this places uses??? :P

Cheers :)

Posted: Thu May 18, 2006 4:31 pm
by Charles256
p.s-Is there anyway we can change the poll from what it is, to say...

Is Hockey a pure genius?
- Of course
- Nope
- Not even
- Quite the oppsoite

Har har har...man the fun I would have if I had admin control...


Do you know how far I had to zoom in to read that?!!!!!!!!!!!!!!!!

Posted: Thu May 18, 2006 4:33 pm
by Ambush Commander
Do you know how far I had to zoom in to read that?!!!!!!!!!!!!!!!!
::shrugs indifferently:: I just copypasted to a text editor.

Although let's not derail the thread please.

Posted: Thu May 18, 2006 5:25 pm
by Christopher
Ambush Commander wrote:So I've been sketching out a nebulous "Authentication Module" and the things it would have to interact with some way or another (even if it's through another layer).

* $_POST superglobal, which interacts with the login form
* $_SESSION superglobal
* Database with password, which interacts with user preferences to change passwords/emails and registration (registration, in turn, interacts with email for validation)
* Application context (sometimes bleeding in with $_SESSION) (interacts with Authorization)

We want to implement all these things, but anything outside the core should be able to be overloaded.
I think you have defined four pretty standard things that every application will have and we would need access to: the Request, the Session, the Database, the Controller. I suggest that we create one or more adaptors through which this system talks to these sub-systems. That way build in a flex point and push the problem off on the implementor make things talk together. I think the adaptors would be trivial anyway as most systems use very similar implementations with slightly different naming.

Posted: Thu May 18, 2006 5:28 pm
by alex.barylski
Charles256 wrote:p.s-Is there anyway we can change the poll from what it is, to say...

Is Hockey a pure genius?
- Of course
- Nope
- Not even
- Quite the oppsoite

Har har har...man the fun I would have if I had admin control...


Do you know how far I had to zoom in to read that?!!!!!!!!!!!!!!!!
:P

Posted: Thu May 18, 2006 5:30 pm
by alex.barylski
Ambush Commander wrote:
Do you know how far I had to zoom in to read that?!!!!!!!!!!!!!!!!
::shrugs indifferently:: I just copypasted to a text editor.

Although let's not derail the thread please.
I was just about to suggest that as thats what I do :P

Posted: Thu May 18, 2006 5:40 pm
by Ambush Commander
I think you have defined four pretty standard things that every application will have and we would need access to: the Request, the Session, the Database, the Controller. I suggest that we create one or more adaptors through which this system talks to these sub-systems. That way build in a flex point and push the problem off on the implementor make things talk together. I think the adaptors would be trivial anyway as most systems use very similar implementations with slightly different naming.
That's interesting. What does a flex point look like? (at this point, it looks like some code is coming up real soon to define interfaces)

Posted: Thu May 18, 2006 6:27 pm
by Ambush Commander
Security reading. Stuff we want to implement and stuff we want to consider. Ones not named are scarcely relevant, ones that are are probably quite relevant.

Tutorials
* Challenge Response Login
* Authentication Module

Security
* Login Security (specifically sessions)
* viewtopic.php?t=47690
* viewtopic.php?t=47527
* viewtopic.php?t=47483
* viewtopic.php?t=47492
* viewtopic.php?t=47375
* Another 15 pages to sift through

Theory
* Authentication libraries (what's out there?)
* Best medium/diversity
* viewtopic.php?t=47532
* viewtopic.php?t=39502
* About thirty more pages to go through

External links
* Javascrypt, Javascript based encryption - could be used for SSH emulation

Something interesting is that Authentification is used so much. Is that a valid spelling?

Posted: Thu May 18, 2006 7:35 pm
by Christopher
Ok ... you read through all that and give us an executive summary. 8O

Regarding the adapters, we only need/want to provide the minimum necessary. That reduces the amount of code to test and support.

Request - We really don't need to interact directly because only need a couple of values. And they may not come from the request at all, but some other source.

Session - This need to be read/write access to some data structure because we have a number of values to store. A plain-old associative array may be easiest. If it an object then the external session system need to know about the class which is just one extra thing to do. When the allows multiple autoloaders this will be easier.

Database - The simplest configuration is read only. The only write needed might be a timestamp. Do we let the external system deal with that invisibly or require the adapter to support a call.

Controller - I don't think there is one solution here. Use cases will clarify this for us probably.

Posted: Thu May 18, 2006 7:49 pm
by Ambush Commander
Ok ... you read through all that and give us an executive summary.
So, extra "tools" we want: challenge response, remember me, password strength evaluation, password assymetrical encryption and captchas (probably interface with someone else, it's hard to do those well; use these for login throttling as well as registration). These will make the system very powerful.

Things we want to avoid: function callbacks/excessive reflection, extended beta period (we want a stable product), no dependencies (or dependencies that are trivially easy to substitute).

This was proposed as a basic interface (nevermind the format of credentials):

Code: Select all

interface AuthenticationProvider {
 /**
  * Return the result of the authentication attempt
  * @param $credentials the credentials
  * @return true if authentication was success
  */
 function IsAuthenticated($credentials);
}
This project might be a little too big for a little forum thread. SourceForge, anyone?