Geek Answers Handbook

Role Based Access Control - The Right MVC Template

I started using the MVC pattern six months ago, and I still have some misunderstandings.

Now I want to implement role-based access control in my application. However, my question is not about RBAC, but about MVC.

My RBAC implementation is as follows: user-> role-based> Permission therefore each user (e.g. userA) can have many roles (e.g. reader, editor, admin), and each role can have many permissions (read, update, delete, etc. .).

MySQL Tables

  • users (user list)
  • roles (list of roles)
  • permissions (list of permissions)
  • role_permissions (list of roles-> connection permissions. ex. editor-> update)
  • users_roles (list of users β†’ connection roles. ex. userA-> editor)

Now my question is How to implement this in MVC? Do you have a separate model for: users, roles, permissions, role_permissions, users_roles than the authManager class that creates users, roles, permissions, role_permissions and user_roles? Is it correct? Is there a better, maybe more elegant way?

+7
source share
4 answers

Basically, I would stick with one of Kohana's many existing ACL libraries instead of writing my own (or at least trying them to fit your needs).

You can check this stream (Wouter A1, A2 and ACL modules) - http://forum.kohanaframework.org/discussion/1988/releases-a1-authentication-acl-acl-for-kohana-a2-object-level-authorization / p1
It is constantly updated and maintained and is available for version 3.2.

If you feel that the Wouter modules are complex, you can also check the Vendo ACL module, which is very simple and eliminates many complications - https://github.com/vendo/acl
Examples of use - http://forum.kohanaframework.org/discussion/9517/getting-started-with-vendo-acl/p1

+8
source

Usually you want to use the ACL / class library for this, since this is the ACL that you are describing. I don’t know Cohan, but from a quick google I found this Cohan ACL library. https://github.com/synapsestudios/kohana-acl

But basically, you really need models to manage individual objects in ACLs, such as users, roles, and permissions. Then talk to ACL-api in your controllers or other libraries to determine access to specific parts of your application.

+2
source

I copy / paste the code of the main controller of the KohanaPHP application, assuming that we already have Zend_ACL enabled.

Please note that I have user permissions, not group permissions ... Although this can be easily edited.

<?php defined('SYSPATH') OR exit('No direct script access.'); class Controller_Application extends Controller_Template { protected static $acl; public $template = 'default'; public function before() { parent::before(); session_start(); self::$acl = new Zend_Acl(); $this->set_permissions($_SESSION['userid']); } protected function check_access($resource, $privilege, $redirect = TRUE) { $permission = (self::$acl->has($resource) AND self::$acl->isAllowed($_SESSION['userid'], $resource, $privilege)); if (!$permission AND $redirect) $this->request->redirect('user/denied'); elseif (!$permission AND !$redirect) return FALSE; elseif ($permission AND !$redirect) return TRUE; } protected function set_permissions($user_id) { $result = DB::select() ->from('permissions') ->where('user_id', '=', $user_id) ->execute() ->as_array(); self::$acl->addRole(new Zend_Acl_Role($user_id)); foreach ($result AS $permission) { if (!self::$acl->has($permission['resource'])) self::$acl->add(new Zend_Acl_Resource($permission['resource'])); self::$acl->allow($user_id, $permission['resource'], $permission['privilege']); } } } ?>

Then I check access to the controllers as follows: $this->check_access('events', 'add'); .

+1
source

I know that the trail is cold, but a new project has appeared:

PHP-RBAC is a hierarchical NIST level 2 standard NIST-based standard access control and is quite mature. This is also an OWASP project.

I hope you enjoy this at http://phprbac.net

it is used in jframework in a way that is the standard way to include RBAC in the MVC pattern.

+1
source

More articles:


All Articles