Geek Answers Handbook

PHP - Where to place RBAC and Authentification in an MVC application?

I am working on an MVC application with this structure:

Request V FrontController <-> Router V Controller <-> Model V View

I have two other components that I need to place in this structure:

  • Authentification : logs in the user using the global variable $_SESSION ;
  • RBAC : Role-based access control that can check if the role has access to the "ressource" ( Controller ) method.

Each user can have any given number of roles (they may also have no roles).

Now I need to place these two components in my applications, I need them to be able to:

  • If User not completed and that Request requires the execution of ahedhed User , the client should be redirected to the login page;
  • If RBAC sees that authed User does not have a role that has access to the required "ressource" to execute the Controller method, the Controller method must be executed, but with that User does not have permission ( Example : A User writes an article, but does not have the right to publish her, so the article is saved as a draft and User says that a Moderator will have to publish it).

I already have some ideas where to find Authentification and RBAC , but I'm not sure:

  • Authentification can go to FrontController or Router ;
  • RBAC can be in FrontController or Controller .

I saw someone put RBAC in a model, but I don't understand why.

I would like to get some idea on this, please. Where should I put the Authentification and RBAC components?

Thanks!

+5
source share
2 answers

In a typical MVC application, authentication (i.e. "if not auth, then stopping and rendering the login page instead") is very early in processing the request, while business logic (i.e. "if the user has this permission then it happens, otherwise it happens ") is processed inside the" C "(controller).

Most frameworks have a mechanism for tests, such as the authentication you describe, the names change, but I often saw this as being called "middleware."

Role-based access control is your implementation.

+1
source

In my experience, the business logic of access control changes with the addition of new features, so it pays for the flexibility and portability of the design in your access control system. Thus, I would develop Authentication and RBAC as separate features, and then incorporate these features into the controller space as needed.

As already mentioned, it looks like the authentication tag is best included in your front controller: you know that all dependent controllers require authentication, so enable this check at the beginning of the life cycle to free socket requests. If your requirements ever change to require some controllers that can be disabled, you can translate the trait to specific controllers or to the base class of the controller.

As for RBAC, which can be applied globally to all controllers, as well as locally to some controllers. For example, your FrontController may request RBAC to build a routing table, while dependent controllers will use RBAC for their specific needs.

One thing to keep in mind though: you may also have some RBAC model needs. That is, some roles may have limited access to some fields in some models: role A can access the entire model X, but only fields 1, 2 and 3 of model X can read role B. (Believe me, I saw very, very complex rules around roles that can see and act in which fields.)

RBAC engineering as a feature of the controller can make it difficult to transfer the simulation to model space. Thus, you might be better off designing RBAC as a service delegate and introducing it on demand. With a well-prepared IoC container, a service delegate is as simple as compiling time.

Finally, I will add that you want both of them to be under severe ordeal (in the end, they are important). So, whatever you choose, engineer so that they can be tested. In my opinion, both features and delegates are easily tested in isolation, and this will be a good choice for implementing the necessary logic.

+2
source

More articles:


All Articles