An ACL idea. Need some help.

[eluser]Spelljack[/eluser]
Hey,

I am trying to build a rol based Access Control List for CodeIgniter. If I success, I will create a repository for it on bitbucket. But I need some help on the planing.

Here is what I thinked so far:

-It will be database integrated.

Database Tables
-There will be a roles table.
-This table contains the roles.

-To understand what role is superior than other, role will cover others.
- Eg: ROLE_ADMIN role covers ROLE_USER, ROLE_MODERATOR etc.

-There will be another table that contains which roles assigned to what? This can be a user, a group, or a special field (I'm not sure about this special field part). Since the most sensible aproach is user/group.

-The last table will contain the which roles have access to what. This can be an entire module, directory or class. Or only a specified method. There can be a access defination even for a widget, or somewhere in page.

How Should It work?

-There should be a auto check before page loads. But this option could be disabled. Most sensible thing is letting this with a method in user defined main controller construct. This can be disabled on config file (maybe no need for a config option for this. afterall people will install it, if needed right?).

-There should be a method to check inpage. (widgets, a part of the page)

-Since it will be configurable on database but there can be situations that ACL must be disabled. So if this will be a general thing on entire project, this can be defined in configuration file. If need to disable it dynamicly, it should be defined in controller's constructor. Before the call parent constructor (can be passed with params or can be defined as a class variable. This time user has to check if there is a variable to procress by ACL.

-The library must provide methods for add/edit/delete Roles, accesses, role definations.

And here it is what I thinked so far.

I really would like to know what you think? Is this providing all needs from an ACL?

[eluser]WanWizard[/eluser]
I have an implementation where both roles and groups are implemented as a tree (nested set, adjacency list, etc). This allows you to build an inheritance system where parent inherit the rights of their children.

Users, groups and roles all link to names tasks, which in my system are defined as an identifier (for example class or method) and an action ('read', 'write', etc).

The stucture of effective user rights are generated and cached, so that you don't need to run queries every time you do a rights check.

The library contains the usual suspects, like has_group(), has_role() and has_task() to check for assigned rights.

[eluser]Spelljack[/eluser]
[quote author="WanWizard" date="1309292549"]I have an implementation where both roles and groups are implemented as a tree (nested set, adjacency list, etc). This allows you to build an inheritance system where parent inherit the rights of their children.

Users, groups and roles all link to names tasks, which in my system are defined as an identifier (for example class or method) and an action ('read', 'write', etc).

The stucture of effective user rights are generated and cached, so that you don't need to run queries every time you do a rights check.

The library contains the usual suspects, like has_group(), has_role() and has_task() to check for assigned rights.[/quote]

Thanks for reply. How are you caching them? to a file or just runing a bunch of queries to get all rights to an array?

[eluser]JonoB[/eluser]
I came across http://www.tastybytes.net/blog/simple-ac...odeigniter a few weeks back, and ended up using it (albeit modified for my needs). Its neat and clean.

[eluser]wiredesignz[/eluser]
And I have an application of Rule based access control. Roles and groups and specific users or even IP adresses can be allowed or blocked.

[eluser]WanWizard[/eluser]
[quote author="Spelljack" date="1309317564"]Thanks for reply. How are you caching them? to a file or just runing a bunch of queries to get all rights to an array?[/quote]
The users effective rights are stored in an array. The array is cached using Phil Sturgeon's caching library (which stores it in disk files). The cache file doesn't auto expire, it is expired when the users rights are changed.

[eluser]Spelljack[/eluser]
Thank you for your replies. I found phpGACL while searching on the net for a solid solution. And it's exactly what I need. Unfortunatly it has not been updated sinde PHP 4. So I am re-coding it. On database queries I am using DataMapper ORM. When I finish it, I will publish it public on BitBucket

[eluser]wiredesignz[/eluser]
@Spelljack, Search the forums for khACL. It may be what you're looking for.

[eluser]toopay[/eluser]
Since you're about attemps to spend your time with ACL stuff, i have several input:
1. Make sure it cacheable. Or your user will suffer in their server memory, because acl class perform several query everytime system runs.
2. Use console as back-end apps. Not everyone, especially as system admin, convinience with "front-end" looks (like phpGACL back-end). Also, make your back-end as console will easier to them especially when they have more than 1000 user already in their databases.
3. Dont use depedency stuff, like ORM. It just because not evrybody use ORM, and even they like it, sometimes they just doesnt need it. And building something which have huge depedencies, will break the "portability" philosophy.

I already build some type of ACL, and in my recent works, i'am build an ACL system with hexadecimal value checks, just for better (cleaner code and database design) and flexibility.(i get that inspiration from some article on the net,explaining about deeper usability of hexadecimal types, but i can't remember the link - crap!). The simple explanation, is like these

Consider you have a task list like below :
user - edit_profile
... and so on

And every task is need more than one spesification to check, for example
user - edit_profile (need user to login, "is me" checks)

Then in traditional way, we will check that spesification with complicated function and long lines of procedural code. Or puting has_role() has_task(), or worse, we will have at our database design, some serialized array that save that rules into a field.

With the advantages of hexadecimal characteristic, you can store every task with specific hex-value, for example

user - edit_profile : have oxoa (means '1010', i use o instead 0 because at this forum we can't write hex value)

Then check the user right with some hierarchy of user's state, for example

Code:

user = array(
   'is_login' => oxo1 , // Means if user is login, they have '0001' as his acl "strength"
   'is_me'    => oxo2, // Means if user match "is me" criteria, they have '0010' as his acl "strength"
   // the rest of user rules
   'is_admin'  => oxo8, // Means if user match "is admin" criteria, they have '1000' as his acl "strength"
)

Then you now have a flexible way to manage the task and group list. In this simple example, the task "user - edit profile" is only accessible for anyone which have match value with :

Code:

// Hexadecimal works this way...
/* the task list value */
//user - edit profile               '1010'
/* user state rules */
//if user in the login state        '0001' - doesn't have enough strength
//if user match "is me"             '0010' - They have enough strength
//...
//if the user is you, or admin      '1000' - They have enough strength
// Basicly, if the bit is match, hex will return TRUE

Imagine how complex you can define your task, group and rules with just a single hex-value to check or store in your db field or config file.

[eluser]riceman[/eluser]
I think this is the article mentioned in the post above.

http://webdevrefinery.com/forums/topic/3...nt-system/

Hope it helps ; )