API critique wanted for my RBAC/ACL

Coding Critique is the place to post source code for peer review by other members of DevNetwork. Any kind of code can be posted. Code posted does not have to be limited to PHP. All members are invited to contribute constructive criticism with the goal of improving the code. Posted code should include some background information about it and what areas you specifically would like help with.

Popular code excerpts may be moved to "Code Snippets" by the moderators.

Moderator: General Moderators

koen.h
Forum Contributor
Posts: 268
Joined: Sat May 03, 2008 8:43 am

Re: API critique wanted for my RBAC/ACL

Post by koen.h »

josh wrote:As in, pass the post's status to the ACL, the ACL would handle checking if it is "allowed" for a given status ( rather then getting back an object you have to "poke at" further to get a simple true/false )

So you would have a 4th optional "context" parameter that could be anything ( a post's status, the request method GET vs POST, etc.. any "context" you needed to be conditional )... these contexts would work like a second "permission" ( the resource, role, permission, AND context would all have to match )
Originally I wanted it to do this, and have given it a lot of thought, but I don't see a way to do this that would be acceptable (performance, API and design-wise).

I think this is more or less what ZF wants assertions to do. The result is that you're almost building an access control within the access control.

Actually what I currently have is not far from it. I see the connection but don't know how to implement access on object(types) contained by other object(types). I'll explain with an example in pseudo-code. What I have now is something like this:

Code: Select all

 
create a type 'post'
allow role action 'view' on type 'post' // the rule
create a type 'draft', which is type 'post' with property 'status' = 'draft'
deny role action 'view' on type 'draft' // other rule
Now we would like to implement a wider context. Say I have multiple sites and only want to allow this role to view type 'post' on site specialSite.com. How can I create a rule that expresses this? And how would the access check be expressed? It's easy to express access on a type that contains another type (eg a 'post' that has a property which is a 'tag'). But not as easy to express when the type is contained by another type:

Code: Select all

 
allow role action 'view' on type ... ?
allow role action 'view' on object ... ?
How to express this context? If you ahave any suggestions I'll gladly look into them.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: API critique wanted for my RBAC/ACL

Post by josh »

koen.h wrote: Say I have multiple sites and only want to allow this role to view type 'post' on site specialSite.com. How can I create a rule that expresses this?
I would "salt" it into the context, so you would concatenate the strings or if these were a recurring problem I would add a second context ( or call it website just for the sake of sanity ) as a second paramater
koen.h
Forum Contributor
Posts: 268
Joined: Sat May 03, 2008 8:43 am

Re: API critique wanted for my RBAC/ACL

Post by koen.h »

josh wrote:
koen.h wrote: Say I have multiple sites and only want to allow this role to view type 'post' on site specialSite.com. How can I create a rule that expresses this?
I would "salt" it into the context, so you would concatenate the strings or if these were a recurring problem I would add a second context ( or call it website just for the sake of sanity ) as a second paramater
I don't understand this. The context is what should, somehow, be a parameter in the rule. Now we have role, action and an object or type of objects as parameters.

Adding a context as fourth parameter like in: allow('guest', 'view', 'post', $contextObject) makes it even more difficult and processor intensive to find a matching rule when client code asks: isAllowed('guest', 'view', 'post', $partialOverlappingContextObject). Maybe I have to show how this would be processed but it's not pretty and very difficult to cache.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: API critique wanted for my RBAC/ACL

Post by josh »

The context would be a string

$context = 'draft';

or...

$context = 'draft-website1';

or $context1 = 'draft' $context2='website1';

Shouldn't be "processor intensive" at all. If I can regex a 100MB .html file in a few seconds on an old pentium I'm sure your ACL class will run fine. Honestly.. querying databases, too much aggressive loading, and file obscene amounts of files inclusion are 99% of all PHP slowness.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: API critique wanted for my RBAC/ACL

Post by Christopher »

koen.h wrote:Adding a context as fourth parameter like in: allow('guest', 'view', 'post', $contextObject) makes it even more difficult and processor intensive to find a matching rule when client code asks: isAllowed('guest', 'view', 'post', $partialOverlappingContextObject). Maybe I have to show how this would be processed but it's not pretty and very difficult to cache.
I have lost track of the current state of the design, and when I see calls like the above is makes me think that the dependencies have gone the wrong direction. What is the current API? And do you have some test code we can try? I would like to re-understand the problem because this is a topic with too many details to causally follow in a discussion.
(#10850)
Post Reply