Granting authorization based on controller resources

[eluser]liri[/eluser]
Hey guys,

I've been wondering how to implement authorization based on controller resources.
This means that it will be possible to specify whether access is ok or not to every controller method.

The database schema outlining the db design is provided here:
DB Table Design

The idea is as follows:
- The table acl_action saves the information about the actual resource (/controller/method, for example: /users/addUsers) along with a category_id to associate the actions with a category
- Categories are grouped together and associated with a group name. For example, categories: Management and Configuration will be associated with a group named Admin
- Each operator/user connecting to the app is associated with a group

Usage:
- Upon requests to the controller method the authorization is checked
- It is ofcourse required to first populate the tables with authorization data, so we can build a wrapper around it so for an HMVC approach, a module could call register_actions($actionResource, $category) upon installation or something.


I'm wondering what others think of this idea and I'm open for suggestions and improvements.

[eluser]solepixel[/eluser]
I think it's not a terrible way of dynamically approaching it, however what you may run into is issues when you are making AJAX calls to do things that require authorization, or you want to check permission on a page that doesn't exactly match up with the actions column in your database, for example a page that may call information from another section. So I think in the end, you're going to need to have some method of permission checking based on some inline code. My personal opinion is to handle these events in 2 methods:
Auth::access($key, $permission) and Auth::unauthorized($redirect)

Then place this code throughout various portions of your application. This may also allow you to add more defined permissions in the future, such as a filtered content.

Good Luck.

[eluser]flaky[/eluser]
I'm already building a similar solution, until now it has been working flawlessly (even with AJAX calls). My table names are pretty straight forward (eg. module, controller, method etc). To handle the permissions (authorized, not authorized, public method), I've written a Controller class Application and I've put it in the libraries folder, where every controller must extend from it. In the moment I'm doing research so the applied permissions are applied automatically to the gui (without if/else in views).

[eluser]Mark Croxton[/eluser]
Actually I think it's a bad idea to hardcode the uri (controller/action) to your resource. If you changed a method name or used routing then your resource could be exposed.

How about defining permissions in a more abstract sense (according to your application's business logic, e.g. 'view reports'), and checking in your controllers if the user has permission ($this->acl->has_permission('do something')) ? Much more robust.

[eluser]liri[/eluser]
@flaky - can you share your work with us? I'd appreciate looking at the tables design as well as the code for applying the actual permissions or some kind of flowchart explaining it.
I'm researching this too so maybe we can help each other

@mark - I understand this point though how would you actually restrict those methods which are required to process the query? you will still end up requiring some kind of 'translation mapping' between the business logic ('view reports') to the actual resource it's associated with (say, reporting/viewResources)