Khaos :: KhACL

[eluser]adamp1[/eluser]
1. I see the name field is unique, so no way of entering a user with multiple parents within the aro tree? In the (phpgacl) PDF provided in first few posts of this thread it shows han is within crew and within engineers. This is kind of confusing me, I cant see how I can add an aro named han and add him under 2 other aro’s (crew and engine). Unless I call them Han1 and Han2 or crew_han and engineer_han?

With the implementation used in KhACL there is no way to have ARO's members of multiple groups.

2. Linking to existing user table, Could I get rid of the link field, and change the name field to user_id? I don’t really want to duplicate a user’s name within the database.

If I were you don't get rid of those fields unless you want to edit the entire library code. There reason its all in its own table is so it can easily be moved around and also applied to many situations.

3. Does the amount of ARO’s really make much of a difference in performance?

If your worried about performance try the library along with the cache library, but to answer your question, Say you have 2 ARO's and 5 ACO's, it would have to loop 10 times, adding another ARO means 15 loops. So the more ACO's/ARO's you have the slower it will get.

[eluser]adamp1[/eluser]
The updates seems great, but I have one suggestion. You have just copied the code so it works outside of the library for the check helper. This means if you update it you must update twice which means there is more risk of a bug not being fixed in both. Why not get rid of the check methods in the library and have the library call the helper file method. Then it means you only have one version of the same code.

Just a thought

[eluser]depthcharge[/eluser]
Thanks adampt, Understood.

I have used the following for a simple test.

Code:

$this->khacl->aro->create('admins');
$this->khacl->aro->create('lee','admins');
$this->khacl->aro->create('gordon','admins');
$this->khacl->aro->create('paul','admins');

$this->khacl->aro->create('members');
$this->khacl->aro->create('ella','members');
$this->khacl->aro->create('jill','members');

$this->khacl->aco->create('blogs');

$this->khacl->allow('lee', 'blogs');
$this->khacl->allow('members', 'blogs');

however when i try and check permission for jill to access blogs for instance it returns no permission.

Code:

$allowed = kh_acl_check('jill','blogs');

tables and data

Code:

mysql> select * from khacl_aros order by lft;
+----+-----+-----+---------+------+
| id | lft | rgt | name    | link |
+----+-----+-----+---------+------+
|  1 |   1 |   8 | admins  |    0 |
|  7 |   2 |   3 | paul    |    0 |
|  6 |   4 |   5 | gordon  |    0 |
|  2 |   6 |   7 | lee     |    1 |
|  3 |   9 |  14 | members |    0 |
|  5 |  10 |  11 | jill    |    3 |
|  4 |  12 |  13 | ella    |    2 |
+----+-----+-----+---------+------+
7 rows in set (0.00 sec)

mysql> select * from khacl_acos;
+----+-----+-----+-------+------+
| id | lft | rgt | name  | link |
+----+-----+-----+-------+------+
|  1 |   1 |   2 | blogs |    0 |
+----+-----+-----+-------+------+
1 row in set (0.00 sec)

mysql> select * from khacl_access;
+----+--------+--------+-------+
| id | aro_id | aco_id | allow |
+----+--------+--------+-------+
|  1 |      2 |      1 | Y     |
|  2 |      3 |      1 | Y     |
+----+--------+--------+-------+
2 rows in set (0.00 sec)

Lee

[eluser]adamp1[/eluser]
How come your tree has two roots? A tree can't have two roots, if it does then its not a tree. You have to change your tree so both 'admins' and 'members' have a common parent.

@Neophyte: That could be another feature to implement, not allow two roots to be created. Since that invalidates the model and the definition of a tree.

[eluser]Neophyte[/eluser]
I can see ive got some work to do theres a few other issues ive noticed as well, this is more of a quick post to say ive seen all the comments and will be updating the code tonight/tommorow.

[eluser]depthcharge[/eluser]
Hi Neophyte,

Ah, i new something was wrong, I wasn't paying attention to the left and right numbers in my table. and me adding 2 roots. thanks adamp1.

Having looked at the code i think the aros tree query should be something like the following, to make it select the aros and all aros parents, so it gets the right interested array. Same thing with the acos i guess.

Code:

/*
* Retrieve the data needed to determine the AROs access
* and extensions to the specified ACO.
*/

$ci->db->select('branch.id, branch.name, branch.link');
$ci->db->from($tables['aros'].' AS tree');
$ci->db->join($tables['aros'].' AS branch', 'branch.lft <= tree.lft AND branch.rgt >= tree.rgt', 'inner');
$ci->db->where('tree.name', $aro);
$ci->db->order_by('branch.lft', 'ASC');
$rs = $ci->db->get();

and the same with the acos i guess, I will take a look also as soon as i can.

I am sure this could be done with the 1 sql query, which would make looping in your code minimum, and make mysql do the work which it is good at.

UPDATE

The following sql gives you the Y or N result of a users access to an aco

It needs testing and clean up, maybe joins are not final.

Code:

SELECT allow
FROM `khacl_aros` as tree JOIN `khacl_aros` AS branch ON (branch.lft <= tree.lft AND branch.rgt >= tree.rgt)
LEFT JOIN khacl_access AS access ON (access.aro_id = branch.id)
LEFT JOIN khacl_acos AS acostree ON (acostree.name = $aco)
RIGHT JOIN khacl_acos AS acosbranch ON (acosbranch.lft <= acostree.lft AND acosbranch.rgt >= acostree.rgt)
WHERE tree.name = $aro AND access.aco_id = acosbranch.id
ORDER BY branch.rgt, acosbranch.rgt
limit 0,1

I have not played with axo's at all yet, but I am sure it can be included in the query. And with mysql caching maybe speed can be improved.

Woah 3am, i gotta sleep

Thanks

Lee

[eluser]depthcharge[/eluser]
I think maybe this is a bit better.

Code:

SELECT allow
FROM `khacl_aros` as tree JOIN `khacl_aros` AS branch ON (tree.name = $aro AND branch.lft <= tree.lft AND branch.rgt >= tree.rgt)
JOIN khacl_access AS access ON (access.aro_id = branch.id)
JOIN khacl_acos AS acostree ON (acostree.name = $aco)
JOIN khacl_acos AS acosbranch ON (acosbranch.lft <= acostree.lft AND acosbranch.rgt >= acostree.rgt)
WHERE access.aco_id = acosbranch.id
ORDER BY branch.rgt, acosbranch.rgt
limit 0,1

I got my head stuck into something at them moment, but I can spend tonight having a play, and come up with something which includes the axo's also.

Just a question for all, do you think it is necessary to check these details from the database everytime / every page / function or would keeping the data within the session be ok and secure if session data is encrypted in the database?

Thanks

[eluser]adamp1[/eluser]
That's the point of the cache, it then means you don't need to keep calling the database and checking for permissions.

[eluser]depthcharge[/eluser]
Ok thanks, I will take a look.

[eluser]Neophyte[/eluser]
ChangeLog - KhACL - 0.1-alpha5

Refactor - kh_acl_check() now uses SQL to build all the permission maps instead of PHP
Refactor - Updated khacl->check() to use helper function
Fixed - Lots of minor bugs when a DB prefix is set (all queries should now account for the global db prefix)

As always any bugs, problems let me know and i'll see what i can do.