Page 1 of 1

What layer do permissions and authentication belong in?

Posted: Thu Dec 14, 2006 6:13 pm
by Luke
One thing I've always had a hard time placing in Model View Controller systems is what layer to put authentication and permissions in. Does it go in this layer?

Code: Select all

class IndexController extends Zend_Controller_Action
{
    public function indexAction()
    {
        if(!$this->isAuthenticated())
        {
            // See ya later!
        }
        if($this->hasPrivilege())
        {
            // Continue with this action
        }
    }
}
Or does it belong further up?

Posted: Thu Dec 14, 2006 6:30 pm
by Christopher
Further up? The code you posted is in the Presentation Layer. That is where Access Control is normally done. You have it in the controller which usually makes sense. But the the data and some logic obviously reside in the Model in the the Domain Layer. It is done just as everything else is done in MVC. But maybe I am just confused about what you are asking?

Posted: Thu Dec 14, 2006 6:41 pm
by Luke
Then I will clarify... :wink:

I meant as opposed to something like this...

Code: Select all

class ApplicationController extends Zend_Controller_Action
{

    $this->_user = null;

    public function init()
    {
        $this->_user = $this->_session->get('user');
        $this->_db = new DB::getInstance();
        $this->_user->loadPermissions($this->_db);
    }
}

Code: Select all

class IndexController extends ApplicationController
{
    public function indexAction()
    {
        if(!$this->_user->canDoThis())
        {
            // bye bye!
        }
        // Continue with your operation, buddy!
    }
}
The more I write these things out in the forum, the more they seem to make sense or not make sense. Seems like these two are the same thing... you'd have to initialize all that info in my first example as well, so it seems I've answered my own question.

Posted: Thu Dec 14, 2006 7:02 pm
by Christopher
Definitely the second example, because it maintains Presentation/Domain layer separation. You don't want to turn your Controller into a Transaction script if you can avoid it. The Model determines whether they are signed-in and the Controller or V alters control flow or the View alters output based on it -- that's how it should be.

Posted: Fri Dec 15, 2006 12:29 pm
by Kieran Huggins
The thing I often find confusing about security is the different concepts of security.

Sometimes I feel this strange desire to add security information to the data layer - my thoughts go along the lines of "this information should only be seen by X, so I should only return it from the database if X is the user." Besides... filesystems sort of work like this don't they?

Then I think about a real world example, like a forum. In a forum there are many different "security concepts" (I know I'm butchering this term, there's likely an agreed upon term and model I don't know about) at work. There are some things you can see but not change (other people's posts), other things you can know about but not see (private forums), and yet other things you don't know about entirely (hidden forums). Then there are the more complicated concepts like "tamper-evident" systems, for example when I edit a post that already has a reply there's text appended to my post making the edit evident. This type of security is certainly not possible at the data (model) layer.

The view, or presentation, layer is also a bad candidate for a couple of reasons: transformations (as amazing and flexible as some of them are) are not ideal places to evaluate security, and sometimes (ideally) we want the client to perform those transformations, which happens outside out control. Bad idea.

That leaves the controller, which is where I do most of my authentication. It has access to all the data, it exists in a flexible programming environment, and it's where all the business logic is (which likely determines who can see what).

If you're still dreaming about modeling your application security after filesystem security (I still do from time to time) do some reading about Novell's 589 file and folder permission attributes - it's the coldest shower I've ever needed to take 8)

As an aside, I've always found every different type of data required it's own security concept in order to be really secure. Not every piece of information in the world can just be "read-only" or "writable". Some need permissions like "can change colour" or "is visible on Tuesdays". To keep your code simple (and your sanity) try to design your security with that in mind. Often defining a default permission for each object and then merging roles and individual permissions (in that order) is a good plan. I think I already covered that in another thread though, so I won't abuse the deceased equine.

Cheers,
Kieran

Posted: Mon Dec 18, 2006 9:44 am
by raghavan20
basically it goes into C of MVC.
C always has so many things to do when compared with M & V.

You provide data from M to C and C makes the decision and informs the V to display the decision taken.

Let us say you want to check permission for each page, then we cannot put it in the page where you get HTTP_VARS because that would duplicate code.

Instead you can have a repository of functions/classes and pass to it the relevant data from HTTP and/or M of MVC.

The function in the repository will take the decision and send it back to the controller script that called it. But still here the logic to validate user permissions and the logic that sends the data to checking script both belongs to controller. Once the decision is obtained, the V formats the result and displays as output.

Posted: Mon Dec 18, 2006 12:52 pm
by John Cartwright
Why not create an Access plugin with the preDispatch method?

Posted: Mon Dec 18, 2006 3:33 pm
by Luke
Jcart wrote:Why not create an Access plugin with the preDispatch method?
I like this idea... I am going to research that right now. I've been looking into controller plugins lately and they are way cool. If you have any insight or examples, I'd love to see them. Thanks Jcart!

Posted: Mon Dec 18, 2006 3:36 pm
by John Cartwright
The Ninja Space Goat wrote:
Jcart wrote:Why not create an Access plugin with the preDispatch method?
I like this idea... I am going to research that right now. I've been looking into controller plugins lately and they are way cool. If you have any insight or examples, I'd love to see them. Thanks Jcart!
I don't want to release my SVN publically, because the code on this project is ancient and has been refactored beyond comprehension and havn't had a chance to commit the changes. So check your PM.