ACL and Reflection
Moderator: General Moderators
ACL and Reflection
I have an idea to create an Access Control Manager based on the information returned by using Reflection* classes applied to my Controller, Model and (Sub)View classes. It's also matched against stored role permissions.
What's you opinion about it? Has anyone played with Reflection?
What's you opinion about it? Has anyone played with Reflection?
There are 10 types of people in this world, those who understand binary and those who don't
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: ACL and Reflection
Sounds interesting. Reflection can be very useful to implement a convention based solution.
(#10850)
Re: ACL and Reflection
I miss the class attributes, like in c#:
I did look for it but I couldn't find it 
It might be ver helpfull for ACL purposes.
Code: Select all
[ClassInfoAttribute(AppEnum.Task.SuperAdministration, "Super administration")]
class MainAdministrationTaskControl
{
....
It might be ver helpfull for ACL purposes.
There are 10 types of people in this world, those who understand binary and those who don't
Re: ACL and Reflection
You mean properties?
http://be.php.net/manual/en/language.oo ... onproperty
Please give some more hints as to what you are trying to achieve using reflection. I don't see how reflection+mvc = an acl implementation.
http://be.php.net/manual/en/language.oo ... onproperty
Please give some more hints as to what you are trying to achieve using reflection. I don't see how reflection+mvc = an acl implementation.
Re: ACL and Reflection
Not exactly - http://msdn.microsoft.com/en-us/library ... S.71).aspx
I need some time to figure out all of the aspectskoen.h wrote:Please give some more hints as to what you are trying to achieve using reflection. I don't see how reflection+mvc = an acl implementation.
But any help or suggestions are welcome
There are 10 types of people in this world, those who understand binary and those who don't
Re: ACL and Reflection
In fact, using method_exists(), get_class_methods() and related native PHP functions in the front controller (which I think is a common approach) is "reflectioning", right?koen.h wrote:I don't see how reflection+mvc = an acl implementation.
I don't think a Controller, or a Model or a View should have any knowledge of what the current user is permitted to do or not. It's simply out of their scope.
Still, trying to clear my ideas, though.
The main idea is to have very high granularity of permissions - per object property.
Also, I'm trying to follow the *nix file permissions model...
Hope, that I'll post some more information soon
And don't bother to post questions, suggestions etc. It will help me a lot
There are 10 types of people in this world, those who understand binary and those who don't
Re: ACL and Reflection
Maybe this could provide some inspiration:
http://www.xaprb.com/blog/2006/08/16/ho ... ol-in-sql/
http://www.xaprb.com/blog/2006/08/18/ro ... ql-part-2/
Too bad there was no reply to my question since I found it very interesting.
http://www.xaprb.com/blog/2006/08/16/ho ... ol-in-sql/
http://www.xaprb.com/blog/2006/08/18/ro ... ql-part-2/
Too bad there was no reply to my question since I found it very interesting.
Re: ACL and Reflection
Which one?koen.h wrote:Too bad there was no reply to my question since I found it very interesting.
I'm trying to escape from all of these "if isPermitted(bla-bla)" structures. That's why I think I need the Reflection and a MVC provider class.
One of the biggest problems I face is controll access based on a value of a property.
E.g. defining Edit access to a Moderator to all posts in a predefined forum sections.
It's hard to be done in the traditional user-group-everybody access pattern.
There are 10 types of people in this world, those who understand binary and those who don't
Re: ACL and Reflection
VladSun wrote:Which one?koen.h wrote:Too bad there was no reply to my question since I found it very interesting.
I'm trying to escape from all of these "if isPermitted(bla-bla)" structures. That's why I think I need the Reflection and a MVC provider class.
Sorry, I mean my question on that last blog post I linked to.
Re: ACL and Reflection
Thanks for the links and for participation in this topic, though 
I'll examine the approach in the links in depth - maybe some of mine ideas would get clear.
I'll examine the approach in the links in depth - maybe some of mine ideas would get clear.
There are 10 types of people in this world, those who understand binary and those who don't
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: ACL and Reflection
I think this is an interesting idea, and have been thinking in this directioin myself. The Front Controller does know he module, controller and action to be dispatched. So you could, for example, apply Access Control by module or by a list of controllers (or even actions).
(#10850)
Re: ACL and Reflection
I've done something: viewtopic.php?f=50&t=81792arborint wrote:I think this is an interesting idea, and have been thinking in this directioin myself. The Front Controller does know he module, controller and action to be dispatched. So you could, for example, apply Access Control by module or by a list of controllers (or even actions).
This is following the main idea, but I need much more granularity.
There are 10 types of people in this world, those who understand binary and those who don't
Re: ACL and Reflection
I use Zend_Acl and allow/deny based on controller/action (I haven't yet found a need for modules).
Then inside of my controller/action
Code: Select all
<?php
$myAcl = new Zend_Acl();
/**
* Application Roles
*
* guest: a user who has not logged in yet
* member: these are the clients. They have access read/write to all their own information
* admin: this is the super user. this person can read/write any account
*/
$myAcl->addRole(new Zend_Acl_Role('guest')) // guest access
->addRole(new Zend_Acl_Role('member'), 'guest') // regular member inherits gues
->addRole(new Zend_Acl_Role('admin'), 'member'); // admin inherits member
/**
* Resources
*
* These are the things that a user might need access to (controllers)
*/
require_once 'Zend/Acl/Resource.php';
$myAcl->add(new Zend_Acl_Resource('auth'))
->add(new Zend_Acl_Resource('error'))
->add(new Zend_Acl_Resource('members'))
->add(new Zend_Acl_Resource('posts'));
/**
* Permissions
*
* These are the individual fine-grained permissions that say whether a "role" has access to a "resource" or not
* There are some permissions that can't be decided until the user has actually gone to the controller/action in question.
* For instance, members need to have "edit" access to the "members" resource, but only if it is their own account. To solve
* this problem, the application makes use of an "action helper" inside of the controller/action that will reject the user if they don't have access.
*/
$myAcl->allow('guest', 'auth') // anybody can view the auth pages (where they log in and out)
->allow('guest', 'error') // anybody can view error pages
->allow('guest', 'index', array('index')) // anybody can view the index page
->allow('member', 'members', array('account', 'detail')) // members can view themselves and modify their own account
->allow('member', 'users', array('detail', 'index','create', 'edit', 'delete')) // members can do all these things, but only to their own posts
->allow('admin', array(), array()) // allow admins to do anything they want... run wild!!Code: Select all
// .. snip
public function createAction() {
if ($this->getRequest()->getParam('user_id') != $this->_user->id) {
$this->_helper->getHelper('acl')->denyAccess();
}
}
// .. snipRe: ACL and Reflection
Let me propose a case I tried to solve as well:
You have a blog with two categories: PHP and PHP-pro. There are two types of users on the blog. Regular users and paid users. Only the last group can have access to the PHP-pro articles.
On the front of your blog you list the latest 10 blog posts (users see only those they are allowed to see). How would acl rules in regard to a module-controller-action handle this type of access rule?
You have a blog with two categories: PHP and PHP-pro. There are two types of users on the blog. Regular users and paid users. Only the last group can have access to the PHP-pro articles.
On the front of your blog you list the latest 10 blog posts (users see only those they are allowed to see). How would acl rules in regard to a module-controller-action handle this type of access rule?
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: ACL and Reflection
I believe that is simply relying on the runtime time type information (RTTI) inherent with all dynamically typed object oriented langauges.VladSun wrote:In fact, using method_exists(), get_class_methods() and related native PHP functions in the front controller (which I think is a common approach) is "reflectioning", right?
C++ for example includes RTTI support/extension because it is required by exceptions, virtual functions, etc. However C++ does not natively support reflection or the oncept of reflective programming because it requires more information than RTTI. Attempts have been made but really you would need to hack the compiler inorder to include the required information.
RTTI basically gives you the ability to check for an objects 'type' at runtime instead of compile time and Reflection takes things a step further, according to the PHP docs it lets you reverse engineer classes, etc.
Querying an objet for it's API is interesting although I have yet to find a real use for it. It's touted as being an excellent way to document source code but it's a lot harder than it sounds and it's far easier to just parse a token list.
I suppose you could implement some interesting front controller design using reflection to invoke required methods but only if those methods exist, as opposed to relying on base objects, etc. Of course there already is a get_class_method() but that won't tell you the exact function signature, like reflection will.
Model, View absolutely...Controller not so much. I perform access control checks in the front controller as well (actually via hook filter) however in my experience there are instances where finer grained control is required and controller checks are needed.don't think a Controller, or a Model or a View should have any knowledge of what the current user is permitted to do or not. It's simply out of their scope.
Consider if you have a permission for users to be only able to modify the first name of a record. If you placed this check in the front you would have some weird coupled code. This check is specific to the context of the operation and needs direct access to the model to prevent the record name from changing.
I personally separate the concept of access control and permissions in my application for the sake of clarity.
Ummm...okay.And don't bother to post questions, suggestions etc. It will help me a lot
I've always been interested in how reflection might be useful and figured you might actually be onto something here...but forget I asked.
Just teasing. Keep the ideas coming...I might be able to use this concept in my own application.