I'm probably on the other side of the problem then. I think I have a good idea on how I can store the rules and allow for any kind of access control (eg allow to view posts but not in category 'hidden', or allow to view posts but not the latest) and get them out of the db. The problem I'm working on is what you seem to have solved: to have the permissions in the object without interfering with the object (the model is unaware of the ACL system). I can't find a way to do that without losing the abililty to not have to check on an object by object basis or weaken the fine grainedeness of the permissions.VladSun wrote: If I understand you right, it's still beyond the ability of the current implementation. I still can't figure out a implementation of permitions based on a value of a property of an object.
I.e. I still can't define "owner", "group" etc.
In a common situation, the query will be SELECT * FROM posts.
Then a new protected object Post is created for every row. It has a public property "text". If the ACL says: it's not readable and it's not writable then the View (again protected object) associated with object Post, propery "text" will be an instance of NullObject.
It's not very clear yet, but it would be something like this.
Extending PHP method/property modifiers
Moderator: General Moderators
Re: Extending PHP method/property modifiers
Re: Extending PHP method/property modifiers
Can you tell me why you want your templates under access control? I'm trying to convince myself (and succeed so far) that only my models need to be access controlled. So I'm interested in reasons to extend this to templates.
My current reason not to include templates is that they provide an interface to a model. Eg if I have a main template with a subtemplate that displays the results of the latest poll, I can test whether to user has read access to the latest poll. This way I don't need to control access to the template itself.
My current reason not to include templates is that they provide an interface to a model. Eg if I have a main template with a subtemplate that displays the results of the latest poll, I can test whether to user has read access to the latest poll. This way I don't need to control access to the template itself.
Re: Extending PHP method/property modifiers
Basicly, because I want to remove these IFs even from the template system.
I want every subview to register itself in the ACL system with read/write flags - i.e. whether the view will provide an interface for manipulating the corresponding property, or just to show it, or both. If r/w permissions are the same as the r/w permissions of the property the view is shown.
E.g.
username - show, no edit view
email - show and edit
password - edit
I want every subview to register itself in the ACL system with read/write flags - i.e. whether the view will provide an interface for manipulating the corresponding property, or just to show it, or both. If r/w permissions are the same as the r/w permissions of the property the view is shown.
E.g.
username - show, no edit view
email - show and edit
password - edit
There are 10 types of people in this world, those who understand binary and those who don't
Re: Extending PHP method/property modifiers
Without the IF's, how do you decide what to do in case of non-permission?
I mean something like this: when a post in the 'member' category is viewed, you need to display the message 'You have to be a member to view this post'. Other times you show nothing (eg your example: username - show, no edit view).
I mean something like this: when a post in the 'member' category is viewed, you need to display the message 'You have to be a member to view this post'. Other times you show nothing (eg your example: username - show, no edit view).
Re: Extending PHP method/property modifiers
By registering a view with no permissions 
There are 10 types of people in this world, those who understand binary and those who don't
Re: Extending PHP method/property modifiers
Cool. I must steal this somehow.VladSun wrote:By registering a view with no permissions
Re: Extending PHP method/property modifiers
Any progress?
I'm making progress with my own implementation and though our orientation is somewhat different I think you could make it work like you would want it :
-no ifs (hiding the acl behind the ORM, get the objects via a ServiceProvider or DIContainer)
-return values can be anything so you could have your null objects or whatever
usage:
No ifs. Return objects are determined by the object finder (independent of the actual acl).
The downside would probably be the IdentityObjects. Your models would need to build them before they can request the allowed objects to the ORM.
edit:
almost forgot: the biggest downside is probably that I'm intending to use this for domain objects only. I haven't put much thought in how I could make this work for controllers or templates.
I'm making progress with my own implementation and though our orientation is somewhat different I think you could make it work like you would want it :
-no ifs (hiding the acl behind the ORM, get the objects via a ServiceProvider or DIContainer)
-return values can be anything so you could have your null objects or whatever
Code: Select all
interface IAcl
{
public function __construct(IUser $user, IStorage $storage);
public function addRoleHelper($role, RoleHelper $helper);
public function getObjects($action, $resource, IObjectFinder $finder);
}
interface Istorage
{
public function addRole($role, array $parents = null);
public function addResource($resource, array $parents = null);
public function allow($role = '*', $resource = '*', $action = '*', IdentityObject $identity = null);
public function deny($role = '*', $resource = '*', $action = '*', IdentityObject $identity = null);
}
interface IObjectFinder
{
public function __construct(IIdentityObject $identity);
public function retrieve();
public function hasResult();
public function getResult();
}
interface IIdentityObject
{
public function getFields();
public function eq($field, $value); // equals
public function gt($field, $value); // greater than, etc.
}
/**
* for dynamic roles
* eg Creator Role: allow to edit post when creator of the post
*/
class RoleHelper
{
public function addTest(IUser $user, IIdentityObject $identity);
}
interface IUser {}Code: Select all
$identity = new IdentityObject();
$identity->eq('id', $_POST['id']);
$acl = new Acl($user, new AclDbStorage($db));
$acl->addRoleHelper('commentOwner', new CommentOwner());
$comment = $acl->getObjects('edit', 'comment', new ActiveRecordWrapper($identity));
The downside would probably be the IdentityObjects. Your models would need to build them before they can request the allowed objects to the ORM.
edit:
almost forgot: the biggest downside is probably that I'm intending to use this for domain objects only. I haven't put much thought in how I could make this work for controllers or templates.
Re: Extending PHP method/property modifiers
Wake up everybody!VladSun wrote:If I understand you right, it's still beyond the ability of the current implementation. I still can't figure out a implementation of permitions based on a value of a property of an object.koen.h wrote:Do you have to get them out of the db one by one and check them, or can you do it in one query (eg SELECT * FROM posts WHERE allowed to view)?
I.e. I still can't define "owner", "group" etc.
I was thinking ... how do you feel about using Reflection method $class->getDocComment() for defining owner, group, etc. "modifiers" to a property?
E.g.:
Code: Select all
class MyClass
{
/**
/* @acl-owner
*/
public $ownerID;
/**
/* @acl-group
*/
public $groupID;
/**
/* @acl-category
*/
public $categoryID;
.......
}
I've used similar approach in C# and it works.
There are 10 types of people in this world, those who understand binary and those who don't
Re: Extending PHP method/property modifiers
Yeah, it works. I used it to declare permissions to use object's methods remotely (in a kind of RPC server).VladSun wrote: I was thinking ... how do you feel about using Reflection method $class->getDocComment() for defining owner, group, etc. "modifiers" to a property?
Re: Extending PHP method/property modifiers
Glad to hear someone uses this, makes me feel less weird about itWeirdan wrote:Yeah, it works. I used it to declare permissions to use object's methods remotely (in a kind of RPC server).
I am more concerned about the approach itself - whether it is (will be) considered a "bad practice" or not
There are 10 types of people in this world, those who understand binary and those who don't
Re: Extending PHP method/property modifiers
An alternative could be an object that stores the relationship property-acl term.VladSun wrote:Glad to hear someone uses this, makes me feel less weird about itWeirdan wrote:Yeah, it works. I used it to declare permissions to use object's methods remotely (in a kind of RPC server).![]()
I am more concerned about the approach itself - whether it is (will be) considered a "bad practice" or not
Re: Extending PHP method/property modifiers
I'm using the getDocComment() for my ORM, but I don't know about performance.
(It doesn't concern me much, because I parse the doc comments and then generate code which then is cached)
I think it looks really nice, reminds of Java's annotations.
(It doesn't concern me much, because I parse the doc comments and then generate code which then is cached)
I think it looks really nice, reminds of Java's annotations.
Re: Extending PHP method/property modifiers
Just saw this, very very nice. I'm not sure if I'll have use for this in any upcoming project, but for stuff like financial systems this could be pretty useful.
Regarding performance, how about caching permissions for the lifetime of the process? (ie, once a method/property has been approved/denied always return the same value using a simple hash table). Might include a flag to indicate whether to allow caching or not. I would imaging APC could improve this a lot as well.
nice going Vlad!
Regarding performance, how about caching permissions for the lifetime of the process? (ie, once a method/property has been approved/denied always return the same value using a simple hash table). Might include a flag to indicate whether to allow caching or not. I would imaging APC could improve this a lot as well.
nice going Vlad!
Re: Extending PHP method/property modifiers
Going the performance route, I'm going to reask the following question:
"Do you have to get them out of the db one by one and check them, or can you do it in one query (eg SELECT * FROM posts WHERE allowed to view)?"
I think the solution will work when you have the object, but how do you know what objects you can retrieve from a database?
"Do you have to get them out of the db one by one and check them, or can you do it in one query (eg SELECT * FROM posts WHERE allowed to view)?"
I think the solution will work when you have the object, but how do you know what objects you can retrieve from a database?
Re: Extending PHP method/property modifiers
Something other than the performance topic.. use class constants instead of global. Global dependencies are a smell. 