User Authorization

#1
[eluser]Angilo[/eluser]
Hi,

We are currently developing our application, CI being the framework.
The application is a backoffice, every user needs to be checked whether he's authorized to view the page or not.

Therefor we have an user account control module. The user has no access, unless specified different. Every page needs to be checked. I wonder how to realize this in CI.

One thing that would come up to my mind is Hooks.

The hook would look something like this:

Code:
$hook['post_controller_constructor'] = array(
                                'class'    => 'UAC',
                                'function' => '',
                                'filename' => 'uac.php',
                                'filepath' => 'hooks',
                                'params'   => ''
                                );

Here, the constructor is being called. But in the constructor of every controller, a code like this needs to be implemented.

Code:
$this->UAC->isAllowed('user', 'action');

I wonder how to achieve this in CI. Does anyone have any suggestions? I think it is not a hook what I'm looking for.

Greetings

#2
[eluser]WanWizard[/eluser]
Depends on where you get your definition of user and action.

To determine the user, you need the database and the session to be available. If action can be related to the page, you could do this based on the URI. If you need to look it up, database access is required.

I have a similar library which, based on the user logged in, compiles a data structure with the users effective rights. This can be done either from a hook, or from the constructor of a MY_Controller extension. Having this data structure in place, my controller methods call the equivalent of $this->UAC->is_allowed('action') to check if access is allowed. Based on the result I either redirect to a 'no access' page, or take other action (p.e. to show something read-only, to disable update facilities, etc).

#3
[eluser]BrianL[/eluser]
Well one obvious way is to extend Controller (see manual) and always extend from the custom controller class instead of Controller. But I assume you already thought of that and considered it insufficient since you have an access control module.

What you really want is a access control list. The main point is authentication is not the same as authorization. If your application is complex enough, you will not only want to keep track of a user's "power level" or "access level" but exactly what tasks each user can do.

Refactoring your module to use access request objects and a tree-like structure would be trivial if you are a comp sci major. If you aren't then it's a little bit harder, but if your application is complex it is well worth your time.

#4
[eluser]Angilo[/eluser]
Thank you for your feedback.

Authorization can be the same as authentication. Just like BrianL states, our system is that complex. But it doesn't matter whether the access requested is a page view, an operation or an action. So, I don't want an access control list.
The module does use a tree-like structure, that is necessary for our application.

The thing I want to achieve now, is how to check the page. The function isAllowed strips the action. For example PAGE_FINANCE requests to view the finance page, while ACTION_FINANCE_CREDIT requests to perform the action Credit on the Finance page.

Of course, if we do not want to use that method due to any reason you can think off, the function isActionAllowed can be used, or isPageAllowed, etc.

I am the person that has to explore a new framework for our application, I think CI would be a good choice.

#5
[eluser]BrianL[/eluser]
CI is a good choice.

It is relatively trivial to check the page as WanWizard says by extending Controller and using sessions and database. Extend MY_Controller with Custom_controller, then extend Custom_controller with many various types of custom controllers corresponding to the level of access you want for a user, for example Public_controller, Secure_controller etc. Then finally extend your normal controllers off these custom controllers. I did this in half an hour with nearly no knowledge of CI (however I do have advanced PHP knowledge).

___


P.S. With words like "finance" and "credit" it looks like you are creating a mission critical application. In case you aren't one or don't have one already I strongly suggest you either hire someone who has developed secure applications CI before or at the very least take extra care to secure your CI install. Because your concern seems to be related to security in general ("any reason you can think of" say you) and I can think of many, many reasons that have little to do with CI and everything to do with PHP and webserver configuration and developer skill.

#6
[eluser]pbreit[/eluser]
Have a look at Ion Auth. It's lightweight but still full featured and actively managed.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.