PHP Access Control System

Question

I am part of a team creating a web application using PHP and MySQL. The application will have multiple users with different roles. The application will also be used in a geo

Answer 1

I was in similar situation few months ago. I found that tools like Zend_ACL work great if you just check access level to single item (or reasonably low number of them). It fails when you need to get a huge list of items the user is allowed to access. I crafted custom solution to this problem using Business Delegate pattern. BD provides business logic that can be applied in specific context. In this scenario a SQL logic was delivered and used as filtering condition in subselect. See the following diagrams:

_{(source: epsi.pl)}

And sequence diagram that illustrates calls order:

_{(source: epsi.pl)}

I blogged about this solution, unfortunately it's all in Polish, but you may find pieces of code and diagrams handy. What I can say, the implementation is not a piece of cake, but performance-wise it's a champion when compared to iterative access checking for each element on the list. Moreover, the infrastructure above handles not only one type of items on the list. It can serve when accessing different lists, be it list of cities, countries, products, or documents as long as items on the list implement IAuthorizable interface.

Answer 2

Don't know about the details of your problem but the Zend Framework has a rather potent ACL and AUTH set of components you may want to look at. Good stuff like very precise access control, storing data for persistance, advanced conditional rules.

Answer 3

It seems to me like what you need is this: (I'll use a country/state/city example)

1. A list of all countries. Each "country" has an ID.
2. A list of all States within countries. Each state is bound to the ID of the coutnry, but also has its own unique ID.
3. A list of all cities. Each city is bound to either a state, or directly to a country, and has a flag to indicate which.

For a city user, obviously search for and display only those records pertaining to the city that matches their ID. For a state or national level though, search for all records pertaining to each city that has an ID matching that nation (or state or what have you).

So basically, each sub group is dependant on the group above it, and although I don't recall correctly, I believe you can use sub queries to do the trick from there.

Answer 4

If you don't know how to do this I would use a php framework like Zend Framework, CakePHP, or Symfony. They have done the heavy lifting for you and have some type of access control scheme already in place.

Answer 5

I have similar solution to build and so far I've decided to use specifications and roles, so in fact one role would have some privilege specifications attached. If they all are satisfied, the permission is granted, otherwise - it falls back to the resource default access.

I was looking over to find someone already implementing the solution, but it seems no one did. Let's hope it won't be a fail :)