2008年8月25日星期一

Re: [fw-auth] User groups with database

I'm curious about a solution to this using ZF as well ... Many sites talk
about using Zend_Acl, but it's a manual process to create a full graph. If
anyone knows of best practices to solve this, it would be great to post a
solution.

Thanks,
Chris


On 8/25/08 7:38 PM, "Michael B Allen" <ioplex@gmail.com> wrote:

> On Mon, Aug 25, 2008 at 8:58 PM, DanielSousa <danielosousa@gmail.com> wrote:
>>
>> Hello,
>>
>> Im starting with zend framework and i want the system check if the user has
>> access to that page or not, with database.
>>
>> Like this
>>
>> Group user
>> user1
>> Page1
>> Page2
>> Page3
>> user2
>> Page1
>> Page3
>>
>> Group Admin
>> user3
>> Page4
>> Page5
>> user4
>> Page4
>>
>> What components i have to use? Anyone has something link this?
>
> Zend Framework does not really have anything to help with this. There
> is a Zend_Acl component but that only defines how to interface with an
> ACL. Last I checked it doesn't actually do any work.
>
> This sort of thing is actually a little harder than it looks.
>
> First, you need to identify the resources being protected and then
> design your application so that those resources are always accessed by
> the same name. For example, in your above example, you assume content
> is specific to pages. But that's actually a little unusual as there
> are frequently multiple ways to access the same content. So if the
> name you are using with your ACL is the controller route name like
> products/widget1, can the user bypass your security mechanism by
> accessing mobile/products/widget1 or company/../products/widget1
> instead?
>
> Another issue is performance. Are you going to query the database with
> each request to determine which groups the user is in? If you are
> using an Access Control List (ACL) instead of just a single group ID
> to define which groups have access to the resource, are you going to
> be comparing long lists of strings? Ideally the user's groups and ACL
> entries (ACEs) should both be a list of integers because they do not
> require a lot of space and can be quickly and uniquely compared in an
> access control loop. You should only deal with actual group names in
> your administration screen and possibly in a few places in your code
> where you actually have group names.
>
> In general you will need to store and associate a group ID or list of
> group IDs (an ACL) with each resource being protected and then perform
> an access check whenever someone tries to access that resource.
> Personally I like to use a static "Auth" object representing the
> current security context of the user with an isMemberOf() method that
> retrieves and caches the group ID list and then use that method in a
> loop to perform an access control check with the supplied ACL. In your
> case it sounds like you will want to assign a group ID or list of
> group IDs to each controller route and then perform the said access
> control check in a post-router hook.
>
> Mike

没有评论: