Access control adapters
Don't use this in production. It's an early alpha release., (*1)
Requirements
- PHP 5.4
- This plugin needs li3_behaviors (only if you intend to use the DbAcl adapter).
- This plugin needs li3_tree (only if you intend to use the DbAcl adapter).
- This plugin needs li3_fixtures (only if you intend to run DbAcl adapter tests).
Installation
Checkout the code to either of your library directories:, (*2)
cd libraries
git clone git@github.com:jails/li3_access.git
Include the library in your /app/config/bootstrap/libraries.php, (*3)
Libraries::add('li3_access');
Presentation
This plugin provide a couple of adapters for managing access control into your application. It can manage simple rule based system as well as access control lists system. Access control lists are a way to manage application permissions in a fine-grained. It's not as fast as rule based system but allow further control on your application/models., (*4)
API
Simple adapter:
The simple adapter only checks that the passed data is not empty., (*5)
Access::config('simple' => ['adapter' => 'Simple']);
Access::check('rules', ['username' => 'Max']); //return `true`
Access::check('rules', true); //return `true`
Access::check('rules', []); //return `false`
Rule adapter:
The rule adapter check access from a predefinied/custom closure. To use this adapter configure Access like the following:, (*6)
Access::config('rules', ['adapter' => 'Rules']);
The rules adpater already contains the following rules: 'allowAll', 'denyAll', 'allowAnyUser', 'allowIp'., (*7)
Example of use:, (*8)
$user = Auth::check('auth_config_name');
Access::check('rules', $user, $request, ['rules' => ['allowAnyUser']]);
$user = User::find('first', ['username' => 'psychic']);
Access::check('rules', $user, $request, ['rules' => ['allowAnyUser']]);
Rule with parameters:, (*9)
Access::check('rules', null, $request, [
'rules' => [
'allowIp' => [
'ip' => '/10\.0\.1\.\d+/' //parameter to pass to the `'allowIp'` closure.
]
]
]);
You can add custom rule on ::config():, (*10)
Access::config('rules' => [
'adapter' => 'Rules',
'rules' => [
'testDeny' => [
'message' => 'Access denied.',
'rule' => function($requester) {
return false;
}
]
]
]);
or dynamically with:, (*11)
Access::rules('rules', 'testDeny', function($requester) { return false; }, [
'message' => 'Access denied.'
]);
DbAcl adapter:
This adapter currently works for only SQL databases (i.e MySQL, PostgreSQL and Sqlite3)., (*12)
Access::config('acl' => ['adapter' => 'DbAcl']);
Access control lists, or ACL, handle two main things: things that want stuff, and things that are wanted. This is usually represented by:, (*13)
- Access Control Object (Aco), i.e. something that is wanted
- Access Request Object (Aro), i.e. Something that wants something
And beetween Acos and Aros, there's permissions which define the access privileges beetween Aros and Acos., (*14)
Above, the schema needed to makes things works out of the box for a MySQL database:, (*15)
DROP TABLE IF EXISTS `acos`;
CREATE TABLE `acos` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`parent_id` int(10) DEFAULT NULL,
`class` varchar(255) DEFAULT NULL,
`fk_id` int(10) DEFAULT NULL,
`alias` varchar(255) DEFAULT NULL,
`lft` int(10) DEFAULT NULL,
`rght` int(10) DEFAULT NULL,
PRIMARY KEY (`id`)
);
DROP TABLE IF EXISTS `aros`;
CREATE TABLE `aros` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`parent_id` int(10) DEFAULT NULL,
`class` varchar(255) DEFAULT NULL,
`fk_id` int(10) DEFAULT NULL,
`alias` varchar(255) DEFAULT NULL,
`lft` int(10) DEFAULT NULL,
`rght` int(10) DEFAULT NULL,
PRIMARY KEY (`id`)
);
DROP TABLE IF EXISTS `permissions`;
CREATE TABLE `permissions` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`aro_id` int(10) NOT NULL,
`aco_id` int(10) NOT NULL,
`privileges` text,
PRIMARY KEY (`id`)
);
Of course you need to adapt this schema according your own SQL database., (*16)
Once Acos and Aros are correctly defined (see test's fixtures for a better understanding of what Acos and Aros looks like)., (*17)
You can add privileges:, (*18)
Access::allow('acl', 'admin/max', 'controller/backend', ['read', 'create', 'update', 'delete']);
//or:
Access::allow('acl', 'admin/max', 'controller/backend', 'publish');
//or:
$user = User::find('first', ['username' => 'max']);
Access::allow('acl', $user, 'controller/backend', ['read', 'create', 'update', 'publish']);
You can remove privileges:, (*19)
Access::deny('acl', 'user/joe', 'controller/backend', ['delete']);
Use Access::check() to check some privileges:, (*20)
Access::check('acl', 'user/joe', 'controller/backend', ['delete']);
Or Access::get() for recovering all privileges for an Aro/Aco:, (*21)
Access::get('acl', 'user/joe', 'controller/backend');
Greetings
The li3 team, Tom Maiaroto, Weluse, rich97, CakePHP's ACL, Pamela Anderson and all others which make that possible., (*22)
Build status
, (*23)
Wallogit.com
