2008年8月25日星期一

Re: [fw-auth] User groups with database

On Mon, Aug 25, 2008 at 8:58 PM, DanielSousa <danielosousa@gmail.com> wrote:
>
> Hello,
>
> Im starting with zend framework and i want the system check if the user has
> access to that page or not, with database.
>
> Like this
>
> Group user
> user1
> Page1
> Page2
> Page3
> user2
> Page1
> Page3
>
> Group Admin
> user3
> Page4
> Page5
> user4
> Page4
>
> What components i have to use? Anyone has something link this?

Zend Framework does not really have anything to help with this. There
is a Zend_Acl component but that only defines how to interface with an
ACL. Last I checked it doesn't actually do any work.

This sort of thing is actually a little harder than it looks.

First, you need to identify the resources being protected and then
design your application so that those resources are always accessed by
the same name. For example, in your above example, you assume content
is specific to pages. But that's actually a little unusual as there
are frequently multiple ways to access the same content. So if the
name you are using with your ACL is the controller route name like
products/widget1, can the user bypass your security mechanism by
accessing mobile/products/widget1 or company/../products/widget1
instead?

Another issue is performance. Are you going to query the database with
each request to determine which groups the user is in? If you are
using an Access Control List (ACL) instead of just a single group ID
to define which groups have access to the resource, are you going to
be comparing long lists of strings? Ideally the user's groups and ACL
entries (ACEs) should both be a list of integers because they do not
require a lot of space and can be quickly and uniquely compared in an
access control loop. You should only deal with actual group names in
your administration screen and possibly in a few places in your code
where you actually have group names.

In general you will need to store and associate a group ID or list of
group IDs (an ACL) with each resource being protected and then perform
an access check whenever someone tries to access that resource.
Personally I like to use a static "Auth" object representing the
current security context of the user with an isMemberOf() method that
retrieves and caches the group ID list and then use that method in a
loop to perform an access control check with the supplied ACL. In your
case it sounds like you will want to assign a group ID or list of
group IDs to each controller route and then perform the said access
control check in a post-router hook.

Mike

--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

没有评论: