Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Libraries & Helpers Khaos :: KhACL
Khaos :: KhACL
  • El Forum
    Guest
  •  
#81
06-09-2008, 10:26 AM

[eluser]adamp1[/eluser]
@Neophyte: This change needs to be uploaded to the version on the first page of this thread.

[quote author="bardelot" date="1211257901"]you have to add some brackets in the sql query (FROM section) in the khacl helper.

line 68:
Code:
FROM ('.$ci->db->dbprefix.$tables['aros'].' AS aro_node, '.$ci->db->dbprefix.$tables['acos'].' AS aco_node)

line 87:
Code:
FROM ('.$ci->db->dbprefix.$tables['aros'].' AS aro_node, '.$ci->db->dbprefix.$tables['acos'].' AS aco_node, '.$ci->db->dbprefix.$tables['axos'].' AS axo_node)
[/quote]

Also I think your helper file is missing a line loading the khaos config file. Since if you load the helper and not the library it dosn't use custom tables.
Code:
if (!is_array($tables))
    {
        $ci->config->load('khaos', true, true);  
        $options = $ci->config->item('acl', 'khaos');        
        
        $tables = array(
            'aros'           => 'khacl_aros',
            'acos'           => 'khacl_acos',
            'axos'           => 'khacl_axos',
            'access'         => 'khacl_access',
            'access_actions' => 'khacl_access_actions'
        );
            
        if (isset($options['tables']) && is_array($options['tables']))
            $tables = array_merge($tables, $options['tables']);
    }
  • El Forum
    Guest
  •  
#82
06-17-2008, 02:31 PM

[eluser]bhoover[/eluser]
Great work neophyte. I'm going through the code right now and it looks perfect for a large web project I'm working on at work that needs granular permissions. I haven't set this up yet (just perusing the code) but as a suggestion your .zip file contains a sql dump from phpmyadmin using MyISAM engine where the code in the 0.1-alpha5 version contains trans_start() and trans_end() functions. Maybe you or adamp1 could dump the new table with the before-mentioned InnoDB engine / 254-length varchar fields for others.

Ben
  • El Forum
    Guest
  •  
#83
06-17-2008, 02:33 PM

[eluser]adamp1[/eluser]
I think a solution would be to ship 2 sql dumps. One built using the normal MyISAM tables and the other with InnoDB. Otherwise if you don't want to use InnoDB you have to go and remove all relations.
  • El Forum
    Guest
  •  
#84
06-25-2008, 09:43 AM

[eluser]sophistry[/eluser]
Here are observations and sample code...

1) The code example in the first post (by Neophyte) is misleading because you can't just copy and paste. It is not sample code, just documentation as it defines the objects in the wrong order. see my sample code below for the proper order.

2) There are several differences from the php gACL code referenced in the first post:

a) you cannot add AROs (Requesting Objects) to multiple groups - see PDF manual linked from first post and example about Chewie in two groups see this post for details. The KhACL requires unique names for each ARO so you can't define them more than once.

b) KhACL does not DENY by default - you must DENY your root node up front if that is the sort of permission model you want.

c) KhACL treats AXOs differently (and per Neophyte, more logically) see these posts on the thread for explanation.

3) this is not an Auth system it is an access control list that uses cascading access permissions. you could build auth with it.

see next post for code...
  • El Forum
    Guest
  •  
#85
06-25-2008, 09:44 AM

[eluser]sophistry[/eluser]
Code:
function testacl()
    {
        // This is what we want to restrict access to
        $this->khacl->aco->create('Website');
        $this->khacl->aco->create('Database', 'Website');
        $this->khacl->aco->create('Email', 'Website');

        // create tree root group and nested sub-groups
        $this->khacl->aro->create('Company');
        // all users are part of company
        $this->khacl->aro->create('User', 'Company');
        // admin and guest are both users so inherit user permissions
        $this->khacl->aro->create('Admin', 'User');
        $this->khacl->aro->create('Guest', 'User');

        // create some users belonging to the nested groups
        // first the overall group
        $this->khacl->aro->create('Bob','Company');
        // now the next level down
        $this->khacl->aro->create('David','User');
        // finally the lowest levels where
        // the axos get detailed
        $this->khacl->aro->create('Jim', 'Admin');
        $this->khacl->aro->create('Bernice', 'Guest');
        
        
        // These are the actions axos
        // View is generic action we will use
        // several times applied to different acos
        $this->khacl->axo->create('View');
        
        // these will be restricted to admins
        $this->khacl->axo->create('Add');
        $this->khacl->axo->create('Edit');
        $this->khacl->axo->create('Delete');
        
        
        // OK lets first deny all users everything
        // (company is the root group)
        $this->khacl->deny('Company','Website');
        
            // test this to see if it worked to deny access
            // at this point, a specific user should not
            // be able to view any part of the website
            $this->_can('Bob', 'Website', 'View', FALSE);
        
        // allow anyone in company to view
        // anything in entire website
        $this->khacl->allow('Company','Website','View');
        
        // deny Guest all access to Email and Database
        // guests can't do anything to email or database
        // they can't even view, but the rest of the
        // website remains fully open to guests
        $this->khacl->deny('Guest','Email');
        $this->khacl->deny('Guest','Database');
        
        // allow admin group to administrate any part of
        // the website including the email and database
        $this->khacl->allow('Admin','Website','Add');  
        $this->khacl->allow('Admin','Website','Edit');
        $this->khacl->allow('Admin','Website','Delete');
        
        
        
        
        // now test the settings
        echo 'these should be true<hr>';
        // any admin should be able to edit email
        $this->_can('Admin', 'Website', 'Edit', TRUE);
        // specific admin should be able to view any part of website
        $this->_can('Jim', 'Website', 'View', TRUE);
        // specific admin should be able to delete any part of website
        $this->_can('Jim', 'Website', 'Delete', TRUE);
        // specific admin should be able to delete any part of database
        $this->_can('Jim', 'Database', 'Delete', TRUE);
        // specific user should be able to view any part of the website
        $this->_can('Bob', 'Website', 'View', TRUE);
        // specific user should be able to view any part of the database
        $this->_can('Bob', 'Database', 'View', TRUE);
        // specific user should be able to view any part of the database
        $this->_can('David', 'Database', 'View', TRUE);
        
        echo '<br>these should be false<hr>';
        // specific user should not be able to edit any part of the website
        $this->_can('Bob', 'Website', 'Edit', FALSE);
        // specific user should not be able to edit any part of the website
        $this->_can('David', 'Website', 'Edit', FALSE);
        // specific user should not be able to edit any part of the database
        $this->_can('Bob', 'Database', 'Edit', FALSE);
        // guest should not be allowed to view any email
        $this->_can('Guest', 'Email', 'View', FALSE);
        // guest should not be allowed to view any database
        $this->_can('Guest', 'Database', 'View', FALSE);
        // specific guest user should not be allowed to view any email
        $this->_can('Bernice', 'Email', 'View', FALSE);
        // specific user should not be able to edit any part of the Email
        $this->_can('Bob', 'Email', 'Edit', FALSE);
        // guest should not be able to edit any part of the Email
        $this->_can('Guest', 'Email', 'Edit', FALSE);
        // specific guest user should not be allowed to edit any email
        $this->_can('Bernice', 'Email', 'Edit', FALSE);
        
        // the khhaos_acl system returns FALSE if indeterminate
        echo '<br>these should confuse the system and give indeterminate answers<hr>';
        // only admin should be able to edit email,
        // system should not allow generic user, but answer is ambiguous
        $this->_can('User', 'Email', 'Edit', 'UNKNOWN');
        // generic user should not be able to edit any part of
        // the website, only admin in the next level down can
        $this->_can('User', 'Website', 'Edit', 'UNKNOWN');
        
    }
    
    // utility to wrap the kh_acl_check() method
    // and allow printing of results to browser
    function _can($aro, $aco, $axo, $expected)
    {
        $can = kh_acl_check($aro, $aco, $axo);
        print_r(var_export($can, TRUE) . '='. var_export($expected, TRUE) .'<br>');
        return $can;
    }
  • El Forum
    Guest
  •  
#86
06-26-2008, 06:54 AM

[eluser]Neophyte[/eluser]
I've finally been able to make some free time for working on my own projects so i'll be looking to fix the issues which have been brought up over the past few posts.

Also in the hopes of keeping things a little more organised ive put the code into an SVN repos and setup Trac

http://khaos.neophyte.me.uk/

I'll also try my hand at building up some proper documentation instead of having people depend entirely on the function reference. (Much of trac including the wiki is open to all for now and depending on how well the spam filter works should remain so)

KhACL - Known Issues
  • El Forum
    Guest
  •  
#87
07-24-2008, 11:29 PM

[eluser]Boyz26[/eluser]
I'm new to ACL so I'll just throw this out and see if anyone has a better suggestion (which I really look forward to).

Basically, I'm trying to make a site where users can create lists and set it to either Public, Friends or Private. I'm doing this with khacl.

So my best thought after many tries is something like this:

AXO: 'World', then 'Public, World'
ARO: 'Users', then 'Public, Users'
ACO: 'View', 'Edit'

And whenever someone registers, I would create:
--------------
1. Two AROs. One for that user (Peter) under Public and one for his friend-group
eg. aro->create(Peter-friends, Public).

So that whenever he adds a friend, the friend's username and together with Peter's username are added under his friend group.
Eg. aro->create(Mike-Peter, Peter-friends).

I tried and found out that every ARO must be unique, so I had to connect two usernames to make a new ARO under each friend-group. So when Mike is added to another friend-group there won't be any problem.
Eg. aro->create(Mike-Jake, Jake-friends)

-------------
2. Two AXOs for with suffix -lounge and -private under the root AXO.
Eg. Peter-lounge and Peter-private.

Then allow Peter-friends to 'View' Peter-lounge. When Peter creates a private list, I would use that list_id to create an AXO under Peter-private and then allow people under 'Public, Users' to 'View' list_id.
-------------

And my question is: Is that the best way to do it? It seems pretty confusing to me...

Thank you!!
  • El Forum
    Guest
  •  
#88
07-27-2008, 06:06 PM

[eluser]vendiddy[/eluser]
Nice extension!

Could someone please tell me if KhACL will help me in the following scenario?

I have two tables with the following primary keys
1) projects: project_id
2) users: user_id

I will have the following user-groups with the following privileges.
1) Administrator: [ALL]
2) Collaborator: Create, Update, Delete, View
3) User: Update, View
4) Guest: View

I want to be able to assign these permissions on a per-project basis. For example, user 5 might be an administrator for project 1, but be a collaborator for project 6.

I would also like fine-grained control on a per-project basis. For example, user 3 might be a Collaborator on project 8 and project 9. However, he might be denied the Delete privileges only for project 8.

Any advice is appreciated. Thanks!
  • El Forum
    Guest
  •  
#89
09-09-2008, 03:51 PM

[eluser]Unknown[/eluser]
OK.

I have spent the better part of a workday, um, "evaluating" ACL options for my project. I have already implemented redux_auth for handling site logins, and I'm pretty happy with the way it is working (thanks, Popcorn!!). It seems to me that KhACL is well-suited to building on what I already have.

It appears that the 'link' feature mentioned in Neophyte's original post...
Quote:Links - The link argument you see when creating ARO or ACO objects as you can see is completely optional and an idea i stole from cakephp which i think may come in handy for some people (myself included) where you can specify an ID to what this represents in your own database (such as a user_id) so if you wish to perform your own SQL queries you can join the relevent records.
...is exactly what I want to do. However, I have absolutely no clue how to go about this. I read and searched all (nine!) of the pages in this thread, and still have not found any references to doing this.

I'm not grasping which direction the information should flow: auth -> ACL, or ACL -> auth.

Does anyone have any sample code that might help me get on the right track?

Thanks!
  • El Forum
    Guest
  •  
#90
05-06-2009, 03:18 AM

[eluser]BDT[/eluser]
I am having a tiny question to ACL masters:

That or what facts and figures shall I save for content to only visualize to who he is having reading permission.

Including:

The administrator is save a content where he defines, which group can see it or can read.
After this, the content only appears for defined group and subgroups.

How i can query last 5 content from the model that the current group can see? What data shall i save for content to filter contents for group or subgroups?

Sorry my bad english Sad




Theme © iAndrew 2016 - Forum software by © MyBB