Welcome Guest, Not a member yet? Register   Sign In
Khaos :: KhACL

access should be Y as you guessed, i'll step over the code a bit later to see whats going on.

Well the problem is the _set function, if there's not yet an access entry a new entry has to be set. But I'm not sure how to find out if it should be Y or N. If a subitem is Y it must be Y as well because the check function won't look at the axo objects at all if it were N. That's why I made the changes in the last post and based the returned allow value on the axo item instead of the aco part.

         * If needed create/modify the ARO -> ACO map in the access table
        if (($rs = $this->_CI->db->query('SELECT id, allow FROM '.$this->_Tables['access'].' WHERE aro_id = ? AND aco_id = ? LIMIT 1', array($aro_id, $aco_id))) !== false)
            if ($rs->num_rows() === 0) // create link
// if axo is not null it should inherit the allow value from the element on top
                if (!$this->_CI->db->query('INSERT INTO '.$this->_Tables['access'].' (aro_id, aco_id, allow) VALUES (?, ?, ?)', array($aro_id, $aco_id, $allow)))
                    return false;
                $access_id = $this->_CI->db->insert_id();
            else // modify existing link if needed
                $row       = $rs->row();
                $access_id = $row->id;
                if ($axo === null)
                    if ($row->allow != $allow)
                        if (!$this->_CI->db->query('UPDATE '.$this->_Tables['access'].' SET allow = ? WHERE id = ?', array($allow, $access_id)))
                            return false;
            return false;

I've fixed that bug and tested against the code you where using to initialise the ACL and all the correct permissions are being returned now.

[eluser]Majd Taby[/eluser]
[quote author="Neophyte" date="1201646984"]
* bool allow  ( string $aro, string $aco [, string $axo ] )
* bool deny  ( string $aro, string $aco [, string $axo ] )
* bool check  ( string $aro, string $aco [, string $axo ] )
* bool create ( string $aro [, string $aro_parent [, int $link ]] )
* bool delete ( string $aro )
* bool create ( string $aco [, string $aco_parent [, int $link ]] )
* bool delete ( string $aco )
* bool create ( string $axo )
* bool delete ( string $axo )

// Examples - KhACL
$this->khacl->allow('editors', 'news', 'publish');
$this->khacl->deny('anonymous', 'news', 'comment');
$allowed = $this->khacl->check('neophyte', 'news', 'comment');

// Examples - KhACL->ARO
$this->khacl->aro->create('neophyte', 'editors');

// Examples - KhACL->ACO
$this->khacl->aco->create('news', 'modules');

// Examples - KhACL->AXO

This would be perfect for the new release of CodeExtinguisher. However, i'm not very familiar with the ACL pattern. Here's what I picked up from your post:

1) You use KhACL->allow and deny to specify the rules. In you're example, you're saying: I want to allow editors to publish news, and i want to deny anonymous to comment on news. then you check if neophyte can comment on news, right?

2) You define an aro->create('neophyte','editors') which means neophyte is an editor

3) you defined news to be a module

4) finally, you defined the publish action.


does KhACL use a db to keep track of this?

yeh thats about right, the linked phpgacl pdf explains the approach far better than my post also the table schema is in the zip file

[eluser]Majd Taby[/eluser]
have you considered using Active Record instead of straight SQL queries?

i could for the create/delete methods of the ARO, ACO and AXO classes along with the allow/deny methods of the KhACL class but these are all really simple queries anyway which should work accross most SQL servers. Though for the check method (along with the methods it depends on) i avoided ActiveRecord to keep down on the overhead of checking access. Again the SQL in these methods is pretty basic with just some JOINS so it should be compatable with the main SQL servers.

To further cut down on overhead i was thinking of adding a helper function 'kh_acl_check()' so on the bulk of pages where you simply need to check access you would just use this helper function without ever having to bring in the khacl library, only bringing in the library when you need to modify the ACL in some way. This way you can have extremely fine grained control with the minimum of overhead.

Iv read through everything you have posted and then the phpgacl manual. And some things don't make sense.

Basically what I'm confused about is you are using axo's as actions in your system BUT phpgacl says differently

Quote:ARO and ACO-only View:
· AROs: Things requesting access
· ACOs: Things to control access on
ARO, ACO and AXO View:
· AROs: Things requesting access
· ACOs: Actions that are requested
· AXOs: Things to control access on

Just wondering why you have chosen to do it differently?

personally i think my approach is more logical but i would say that Smile but basically i think my approach is more true to how each of the ARO, ACO and AXO objects should work respectively.

The phpgacl approach would polute the ACO table with both control objects and action objects and means duplicating control objects which already exist into the AXO table (just look at their table schema)

Consider a news article and a user where you want to make it so the user needs permission to publish.

My approach means you would create the ARO (user), ACO (news article) and create the Publish action (AXO) and then create the relationship between them all $this->khacl->allow('user', 'article', 'publish'); to check if a user has access to the news article you just check the ARO against the ACO, if you need to check the user has publish rights you additionally specify the AXO.

With the phpgacl approach you would create the ARO (user), ACO (news article), publish action (ACO) and then AXO (news article again) then establish the relationships between them. To check if a user has access you check the ARO against the ACO. to check if the user has publish rights you check the ARO against the AXO (which is now acting as the ACO) and put the action as the actual ACO.

I see what you mean and now fully agree with you. I have to say I have tried the library and it seems to work great. Being me though I want to learn how the behind the scenes bits work, looks like I will have to implement my own just to have a play (I don't like using something unless I understand it).

Very good worth though.

Theme © iAndrew 2016 - Forum software by © MyBB