Extending PHP method/property modifiers

Coding Critique is the place to post source code for peer review by other members of DevNetwork. Any kind of code can be posted. Code posted does not have to be limited to PHP. All members are invited to contribute constructive criticism with the goal of improving the code. Posted code should include some background information about it and what areas you specifically would like help with.

Popular code excerpts may be moved to "Code Snippets" by the moderators.

Moderator: General Moderators

koen.h
Forum Contributor
Posts: 268
Joined: Sat May 03, 2008 8:43 am

Re: Extending PHP method/property modifiers

Post by koen.h »

VladSun wrote: If I understand you right, it's still beyond the ability of the current implementation. I still can't figure out a implementation of permitions based on a value of a property of an object.

I.e. I still can't define "owner", "group" etc.

In a common situation, the query will be SELECT * FROM posts.
Then a new protected object Post is created for every row. It has a public property "text". If the ACL says: it's not readable and it's not writable then the View (again protected object) associated with object Post, propery "text" will be an instance of NullObject.
It's not very clear yet, but it would be something like this.
I'm probably on the other side of the problem then. I think I have a good idea on how I can store the rules and allow for any kind of access control (eg allow to view posts but not in category 'hidden', or allow to view posts but not the latest) and get them out of the db. The problem I'm working on is what you seem to have solved: to have the permissions in the object without interfering with the object (the model is unaware of the ACL system). I can't find a way to do that without losing the abililty to not have to check on an object by object basis or weaken the fine grainedeness of the permissions.
koen.h
Forum Contributor
Posts: 268
Joined: Sat May 03, 2008 8:43 am

Re: Extending PHP method/property modifiers

Post by koen.h »

Can you tell me why you want your templates under access control? I'm trying to convince myself (and succeed so far) that only my models need to be access controlled. So I'm interested in reasons to extend this to templates.

My current reason not to include templates is that they provide an interface to a model. Eg if I have a main template with a subtemplate that displays the results of the latest poll, I can test whether to user has read access to the latest poll. This way I don't need to control access to the template itself.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Extending PHP method/property modifiers

Post by VladSun »

Basicly, because I want to remove these IFs even from the template system.
I want every subview to register itself in the ACL system with read/write flags - i.e. whether the view will provide an interface for manipulating the corresponding property, or just to show it, or both. If r/w permissions are the same as the r/w permissions of the property the view is shown.
E.g.
username - show, no edit view
email - show and edit
password - edit
There are 10 types of people in this world, those who understand binary and those who don't
koen.h
Forum Contributor
Posts: 268
Joined: Sat May 03, 2008 8:43 am

Re: Extending PHP method/property modifiers

Post by koen.h »

Without the IF's, how do you decide what to do in case of non-permission?

I mean something like this: when a post in the 'member' category is viewed, you need to display the message 'You have to be a member to view this post'. Other times you show nothing (eg your example: username - show, no edit view).
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Extending PHP method/property modifiers

Post by VladSun »

By registering a view with no permissions :)
There are 10 types of people in this world, those who understand binary and those who don't
koen.h
Forum Contributor
Posts: 268
Joined: Sat May 03, 2008 8:43 am

Re: Extending PHP method/property modifiers

Post by koen.h »

VladSun wrote:By registering a view with no permissions :)
Cool. I must steal this somehow.
koen.h
Forum Contributor
Posts: 268
Joined: Sat May 03, 2008 8:43 am

Re: Extending PHP method/property modifiers

Post by koen.h »

Any progress?

I'm making progress with my own implementation and though our orientation is somewhat different I think you could make it work like you would want it :
-no ifs (hiding the acl behind the ORM, get the objects via a ServiceProvider or DIContainer)
-return values can be anything so you could have your null objects or whatever

Code: Select all

interface IAcl
{
    public function __construct(IUser $user, IStorage $storage);
    public function addRoleHelper($role, RoleHelper $helper);
    public function getObjects($action, $resource, IObjectFinder $finder);
}
 
interface Istorage
{
    public function addRole($role, array $parents = null);
    public function addResource($resource, array $parents = null);
    public function allow($role = '*', $resource = '*', $action = '*', IdentityObject $identity = null);
    public function deny($role = '*', $resource = '*', $action = '*', IdentityObject $identity = null);
}
 
interface IObjectFinder
{
    public function __construct(IIdentityObject $identity);
    public function retrieve();
    public function hasResult();
    public function getResult();
}
 
interface IIdentityObject
{
    public function getFields();
    public function eq($field, $value); // equals
    public function gt($field, $value); // greater than, etc.
}
 
/**
 * for dynamic roles 
 * eg Creator Role: allow to edit post when creator of the post
 */
class RoleHelper
{
    public function addTest(IUser $user, IIdentityObject $identity);
}
 
interface IUser {}
usage:

Code: Select all

 
$identity = new IdentityObject();
$identity->eq('id', $_POST['id']);
$acl = new Acl($user, new AclDbStorage($db));
$acl->addRoleHelper('commentOwner', new CommentOwner());
$comment = $acl->getObjects('edit', 'comment', new ActiveRecordWrapper($identity));
 
No ifs. Return objects are determined by the object finder (independent of the actual acl).
The downside would probably be the IdentityObjects. Your models would need to build them before they can request the allowed objects to the ORM.

edit:
almost forgot: the biggest downside is probably that I'm intending to use this for domain objects only. I haven't put much thought in how I could make this work for controllers or templates.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Extending PHP method/property modifiers

Post by VladSun »

VladSun wrote:
koen.h wrote:Do you have to get them out of the db one by one and check them, or can you do it in one query (eg SELECT * FROM posts WHERE allowed to view)?
If I understand you right, it's still beyond the ability of the current implementation. I still can't figure out a implementation of permitions based on a value of a property of an object.

I.e. I still can't define "owner", "group" etc.
Wake up everybody! :)

I was thinking ... how do you feel about using Reflection method $class->getDocComment() for defining owner, group, etc. "modifiers" to a property?
E.g.:

Code: Select all

class MyClass
{
  /**
  /* @acl-owner
  */
   public $ownerID;
 
  /**
  /* @acl-group
  */
   public $groupID;
 
  /**
  /* @acl-category
  */
   public $categoryID;
 
   .......
}
 
So, my "object-wrapper" object knows which property is related to owner/group/category/etc. permissions.
I've used similar approach in C# and it works. :)
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: Extending PHP method/property modifiers

Post by Weirdan »

VladSun wrote: I was thinking ... how do you feel about using Reflection method $class->getDocComment() for defining owner, group, etc. "modifiers" to a property?
Yeah, it works. I used it to declare permissions to use object's methods remotely (in a kind of RPC server).
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Extending PHP method/property modifiers

Post by VladSun »

Weirdan wrote:Yeah, it works. I used it to declare permissions to use object's methods remotely (in a kind of RPC server).
Glad to hear someone uses this, makes me feel less weird about it :mrgreen:

I am more concerned about the approach itself - whether it is (will be) considered a "bad practice" or not :)
There are 10 types of people in this world, those who understand binary and those who don't
koen.h
Forum Contributor
Posts: 268
Joined: Sat May 03, 2008 8:43 am

Re: Extending PHP method/property modifiers

Post by koen.h »

VladSun wrote:
Weirdan wrote:Yeah, it works. I used it to declare permissions to use object's methods remotely (in a kind of RPC server).
Glad to hear someone uses this, makes me feel less weird about it :mrgreen:

I am more concerned about the approach itself - whether it is (will be) considered a "bad practice" or not :)
An alternative could be an object that stores the relationship property-acl term.
User avatar
m4rw3r
Forum Commoner
Posts: 33
Joined: Mon Aug 03, 2009 4:19 pm
Location: Sweden

Re: Extending PHP method/property modifiers

Post by m4rw3r »

I'm using the getDocComment() for my ORM, but I don't know about performance.
(It doesn't concern me much, because I parse the doc comments and then generate code which then is cached)

I think it looks really nice, reminds of Java's annotations.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Extending PHP method/property modifiers

Post by Eran »

Just saw this, very very nice. I'm not sure if I'll have use for this in any upcoming project, but for stuff like financial systems this could be pretty useful.

Regarding performance, how about caching permissions for the lifetime of the process? (ie, once a method/property has been approved/denied always return the same value using a simple hash table). Might include a flag to indicate whether to allow caching or not. I would imaging APC could improve this a lot as well.

nice going Vlad! :)
koen.h
Forum Contributor
Posts: 268
Joined: Sat May 03, 2008 8:43 am

Re: Extending PHP method/property modifiers

Post by koen.h »

Going the performance route, I'm going to reask the following question:

"Do you have to get them out of the db one by one and check them, or can you do it in one query (eg SELECT * FROM posts WHERE allowed to view)?"

I think the solution will work when you have the object, but how do you know what objects you can retrieve from a database?
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Re: Extending PHP method/property modifiers

Post by Jenk »

Something other than the performance topic.. use class constants instead of global. Global dependencies are a smell. :)
Post Reply