Page 2 of 3
Re: Extending PHP method/property modifiers
Posted: Thu Oct 23, 2008 9:44 am
by koen.h
VladSun wrote:
If I understand you right, it's still beyond the ability of the current implementation. I still can't figure out a implementation of permitions based on a value of a property of an object.
I.e. I still can't define "owner", "group" etc.
In a common situation, the query will be SELECT * FROM posts.
Then a new protected object Post is created for every row. It has a public property "text". If the ACL says: it's not readable and it's not writable then the View (again protected object) associated with object Post, propery "text" will be an instance of NullObject.
It's not very clear yet, but it would be something like this.
I'm probably on the other side of the problem then. I think I have a good idea on how I can store the rules and allow for any kind of access control (eg allow to view posts but not in category 'hidden', or allow to view posts but not the latest) and get them out of the db. The problem I'm working on is what you seem to have solved: to have the permissions in the object without interfering with the object (the model is unaware of the ACL system). I can't find a way to do that without losing the abililty to not have to check on an object by object basis or weaken the fine grainedeness of the permissions.
Re: Extending PHP method/property modifiers
Posted: Sat Oct 25, 2008 8:57 am
by koen.h
Can you tell me why you want your templates under access control? I'm trying to convince myself (and succeed so far) that only my models need to be access controlled. So I'm interested in reasons to extend this to templates.
My current reason not to include templates is that they provide an interface to a model. Eg if I have a main template with a subtemplate that displays the results of the latest poll, I can test whether to user has read access to the latest poll. This way I don't need to control access to the template itself.
Re: Extending PHP method/property modifiers
Posted: Sat Oct 25, 2008 9:05 am
by VladSun
Basicly, because I want to remove these IFs even from the template system.
I want every subview to register itself in the ACL system with read/write flags - i.e. whether the view will provide an interface for manipulating the corresponding property, or just to show it, or both. If r/w permissions are the same as the r/w permissions of the property the view is shown.
E.g.
username - show, no edit view
email - show and edit
password - edit
Re: Extending PHP method/property modifiers
Posted: Sat Oct 25, 2008 9:14 am
by koen.h
Without the IF's, how do you decide what to do in case of non-permission?
I mean something like this: when a post in the 'member' category is viewed, you need to display the message 'You have to be a member to view this post'. Other times you show nothing (eg your example: username - show, no edit view).
Re: Extending PHP method/property modifiers
Posted: Sat Oct 25, 2008 9:15 am
by VladSun
By registering a view with no permissions

Re: Extending PHP method/property modifiers
Posted: Sat Oct 25, 2008 9:21 am
by koen.h
VladSun wrote:By registering a view with no permissions

Cool. I must steal this somehow.
Re: Extending PHP method/property modifiers
Posted: Thu Oct 30, 2008 11:59 am
by koen.h
Any progress?
I'm making progress with my own implementation and though our orientation is somewhat different I think you could make it work like you would want it :
-no ifs (hiding the acl behind the ORM, get the objects via a ServiceProvider or DIContainer)
-return values can be anything so you could have your null objects or whatever
Code: Select all
interface IAcl
{
public function __construct(IUser $user, IStorage $storage);
public function addRoleHelper($role, RoleHelper $helper);
public function getObjects($action, $resource, IObjectFinder $finder);
}
interface Istorage
{
public function addRole($role, array $parents = null);
public function addResource($resource, array $parents = null);
public function allow($role = '*', $resource = '*', $action = '*', IdentityObject $identity = null);
public function deny($role = '*', $resource = '*', $action = '*', IdentityObject $identity = null);
}
interface IObjectFinder
{
public function __construct(IIdentityObject $identity);
public function retrieve();
public function hasResult();
public function getResult();
}
interface IIdentityObject
{
public function getFields();
public function eq($field, $value); // equals
public function gt($field, $value); // greater than, etc.
}
/**
* for dynamic roles
* eg Creator Role: allow to edit post when creator of the post
*/
class RoleHelper
{
public function addTest(IUser $user, IIdentityObject $identity);
}
interface IUser {}
usage:
Code: Select all
$identity = new IdentityObject();
$identity->eq('id', $_POST['id']);
$acl = new Acl($user, new AclDbStorage($db));
$acl->addRoleHelper('commentOwner', new CommentOwner());
$comment = $acl->getObjects('edit', 'comment', new ActiveRecordWrapper($identity));
No ifs. Return objects are determined by the object finder (independent of the actual acl).
The downside would probably be the IdentityObjects. Your models would need to build them before they can request the allowed objects to the ORM.
edit:
almost forgot: the biggest downside is probably that I'm intending to use this for domain objects only. I haven't put much thought in how I could make this work for controllers or templates.
Re: Extending PHP method/property modifiers
Posted: Mon Aug 03, 2009 2:44 pm
by VladSun
VladSun wrote:koen.h wrote:Do you have to get them out of the db one by one and check them, or can you do it in one query (eg SELECT * FROM posts WHERE allowed to view)?
If I understand you right, it's still beyond the ability of the current implementation. I still can't figure out a implementation of permitions based on a value of a property of an object.
I.e. I still can't define "owner", "group" etc.
Wake up everybody!
I was thinking ... how do you feel about using Reflection method
$class->getDocComment() for defining owner, group, etc. "modifiers" to a property?
E.g.:
Code: Select all
class MyClass
{
/**
/* @acl-owner
*/
public $ownerID;
/**
/* @acl-group
*/
public $groupID;
/**
/* @acl-category
*/
public $categoryID;
.......
}
So, my "object-wrapper" object knows which property is related to owner/group/category/etc. permissions.
I've used similar approach in C# and it works.

Re: Extending PHP method/property modifiers
Posted: Mon Aug 03, 2009 5:24 pm
by Weirdan
VladSun wrote:
I was thinking ... how do you feel about using Reflection method $class->getDocComment() for defining owner, group, etc. "modifiers" to a property?
Yeah, it works. I used it to declare permissions to use object's methods remotely (in a kind of RPC server).
Re: Extending PHP method/property modifiers
Posted: Tue Aug 04, 2009 2:54 am
by VladSun
Weirdan wrote:Yeah, it works. I used it to declare permissions to use object's methods remotely (in a kind of RPC server).
Glad to hear someone uses this, makes me feel less weird about it
I am more concerned about the approach itself - whether it is (will be) considered a "bad practice" or not

Re: Extending PHP method/property modifiers
Posted: Tue Aug 04, 2009 3:25 am
by koen.h
VladSun wrote:Weirdan wrote:Yeah, it works. I used it to declare permissions to use object's methods remotely (in a kind of RPC server).
Glad to hear someone uses this, makes me feel less weird about it
I am more concerned about the approach itself - whether it is (will be) considered a "bad practice" or not

An alternative could be an object that stores the relationship property-acl term.
Re: Extending PHP method/property modifiers
Posted: Tue Aug 04, 2009 5:36 am
by m4rw3r
I'm using the getDocComment() for my ORM, but I don't know about performance.
(It doesn't concern me much, because I parse the doc comments and then generate code which then is cached)
I think it looks really nice, reminds of Java's annotations.
Re: Extending PHP method/property modifiers
Posted: Tue Aug 04, 2009 5:50 am
by Eran
Just saw this, very very nice. I'm not sure if I'll have use for this in any upcoming project, but for stuff like financial systems this could be pretty useful.
Regarding performance, how about caching permissions for the lifetime of the process? (ie, once a method/property has been approved/denied always return the same value using a simple hash table). Might include a flag to indicate whether to allow caching or not. I would imaging APC could improve this a lot as well.
nice going Vlad!

Re: Extending PHP method/property modifiers
Posted: Tue Aug 04, 2009 5:56 am
by koen.h
Going the performance route, I'm going to reask the following question:
"Do you have to get them out of the db one by one and check them, or can you do it in one query (eg SELECT * FROM posts WHERE allowed to view)?"
I think the solution will work when you have the object, but how do you know what objects you can retrieve from a database?
Re: Extending PHP method/property modifiers
Posted: Wed Aug 05, 2009 8:25 am
by Jenk
Something other than the performance topic.. use class constants instead of global. Global dependencies are a smell.
