Re: Access control



Yorian wrote:
Dear php-guru's,

At the moment I'm trying to create an Access control system (the
implementation, not a handy class such as zend_acl) however I'm a bit
stuck on how to do this.

I will explain the way my system should work in a minute but to give a
fairly fast impression it looks a bit like the complex example here:
http://codeutopia.net/blog/2009/02/18/zend_acl-part-3-creating-and-storing-dynamic-acls/

In my case I have users and roles (groups) to which actions can be
assigned. The actions vary depending on the resource used.

Example:
I have a guestbook, on the guestbook 4 actions can be performed: view,
add, edit, delete
I also have a poll, on the poll 6 actions can be performed: vote,
view, view_results, create, delete, edit

How do I control the access to these resources? (and how should the
database look?)

I missed one point - also fetch the authorized actions for the group(s) the user belongs to, and allow those actions to which the group is authorized. It gets a little more complicated, but if you wish to restrict authorization to a group member that he/she would otherwise have access to as a member of the group, that could be handled in the individual member, also.

Personally, in the PHP end, I would have a function which fetched all of the authorizations for the user and created an array of authorized actions. Then I would have a second function which took that array and the specific action I was interested in and checked against the authorization array, and returned true or false.

This way all of your authorizations are handled in two functions. If you later need to add a new authorization, you only have (at most) two functions to change.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxxxx
==================
.



Relevant Pages

  • Re: Access control
    ... At the moment I'm trying to create an Access control system (the ... the authorizations for the user and created an array of authorized ... authorization array, ... should the database look and how do I retrieve the information needed? ...
    (comp.lang.php)
  • Re: Access control
    ... the user belongs to, and allow those actions to which the group is ... have access to as a member of the group, that could be handled in the ... the authorizations for the user and created an array of authorized ... authorization array, ...
    (comp.lang.php)
  • Re: Secure a custom object
    ... use AD for authentication, but not authorization. ... Windows authorization APIs to check to see if a user is a member of a group ... create groups in the directory because the naming convention determines the ... AzMan is a role-based security model where all the operations are known in ...
    (microsoft.public.windows.server.active_directory)
  • Re: Secure a custom object
    ... The tricky thing here is that you are building a system for resource authorization, ... Windows authorization APIs to check to see if a user is a member of a group ... create groups in the directory because the naming convention determines the ... Since you'll be adding resources dynamically, ...
    (microsoft.public.windows.server.active_directory)
  • Re: asp.net 2.0 roles not working when deploying to web server
    ... The roles implementation works on my development machine but when I ... When I login in as a member of the user role, ...
    (microsoft.public.dotnet.framework.aspnet)