Im working on a "what I thought would be simple" application using zend framework. This is my 4th application with zf, but my first with a dynamic ACL. Application uses standard MVC setup with Model/Domain Layer consisting of a Service Layer to access my Models(popo) which are mapped through Mappers. For each Model I have a corresponding Service and Mapper. I would like to have my UserModel implement the Role interface and then all my model based services implement the Resource interface. Also I would like to have specified predefined privileges based on static roles, but also be able to change specified privileges for each user based on the user's role(s);
So for instance:
I role of 'vendor' that by default has access to the 'invoice' resource with 'create', 'edit' and 'view' privileges.
So my InvoiceService I would would be the 'invoice' resource with methods create, edit, view, and delete(but by default only role admin could delete an invoice.
For a specific user with role of vendor I would like to be able to grant delete privilege, or for another user with vendor role I might like to be able to deny edit privilege. This im thinking would have to be persisted in some way and dynamically loaded.
So to my actual question(s).
Am I going about this the wrong way?
Also how could a solution like this be implemented with Zend Navigation?
Any ideas pointers lessons feedback would be greatly appreciated.
Sorry if I have done a crap job with my explanation been up all night.
Yes, as David said you are on the right track. Zend_Navigation plays very nicely with Zend_Acl. You can define your navigation in an xml or ini file, assigning each page a resource and required privilege, and then inject the ACL and the navigation container into the navigation view helper. You can also set the current role for the navigation helper to whomever is currently logged in, which will show or hide navigation elements based on the ACL.
I will say that defining all those pages in a navigation container is a bit tedious and verbose, but not difficult.
As for defining your ACL, you can do something as simple as defining all your roles and resources in a single php file, or you can have a more flexible approach and store this information in a database and build the acl. You'd definitely want to cache the ACL with the latter approach.
Related
i'm new in oracle apex. I want to make a custom authorization based on the user role (manager or employee). I have make an UI for the manager to custom the access role based on the user role when the user click on the checkbox and when click save button (not working for now), the user must be able to access the form based on their access. Anyone know how to do that? Please help. Thank you
The custom access form
This is a very broad question, hard to answer in a single answer. I can give you some form of direction but not a detailed answer:
This is a form of a roles/responsibilities implementation. A user gets a role (employee) but in the application every functionality is tied to a responsibility (eg time sheet, user profile). This is one way to implement this:
create a user/role mapping table. A user has a row for every role he has, eg User "John" has role "Employee"
create a role/responsibility mapping table. One row for every responsibility that is granted to a role. This table will be populated from the screen that you posted the screenshot for
create one authorization scheme in the application for every responsibility you create (one for time sheet, one for user profile, etc). In this authorization scheme you check if there is a row for the current user joined to the user/role mapping table and to the role/responsibility mapping table
I'm working with Shopware.
I've added a new attribute "proxy" to the s_core_auth table for each user in order to show the ability to get access to the Customer Module in the backend, so that if a user is not selected as "proxy" he/she won't be able to make changes in that module.
I need help to understand what I need to write in my plugin's code (maybe having only a Subscriber file.)
I'll be very grateful!
Adding a custom column to the s_core_auth table is not a good idea. What you're trying to achieve can be done with user groups and group rights. From the Shopware Documentation:
With User administration you are able to create new users in the backend and control access rights to areas, modules and plugins in accordance with certain group policies that you define per ACL (Access Control List). Within the ACL you have the possibility to control precisely which user is able to perform which activity. Thus, it is possible to assign certain reader rights to an administration group without granting them authorization to edit or delete.
You can find instructions for User administration inside the Documentation.
I am new in apache shiro, and I read almost 60% of tutorials in apache shiro page.
It is a wonderful framework, however I wonder if it can meet my requirements.
I am interested in the permission-based authentication.
For example, to make sure if the user have the permission of delete resources, we can use this:
currentUser.isPermitted( "resource:delete" );
However in our application, even a user have the permission of delete resources, he can only delete some specified resources, not all of them.
For example(just an exmaple), the resource have an filed named createdby to record the one who create this resource.
Now user can only delete the resources created by himself if he have the resouce:delete permission.
In fact, the resources which can be deleted by the user(who have authenticated and have delete permission) will be calculated by more constraints.
Now how to make shiro work in this suitation?
You can do this in Shiro but you will have to write some code. Either create a subclass of Authorizer and inject it into the security manager or create a subclass of one of the realm classes such as JdbcRealm. Then override the isPermitted method. This will need to have access to your permissions model, for example the database table or a document in a NoSQL database.
Your call to isPermitted will need to specify the resource you are deleting so you can look it up in your overridden method.
If you override the isPermitted method in the AuthorizingRealm subclass you will have access to the logged in user's principals and the user's Roles: this gives you quite a bit of flexibility because you can have says: user (principal) Fred with roles: Manager, Administrator. Your permissions model can then decide if Fred, a Manager or and Administrator can perform the task on the specified resource.
Hope that gives you some ideas.
From the extent, I have explored Shiro, I don't think it gives that level of flexibility to have a customized check. It basically functions based on roles and permission defined in the config file.
For this functionality I would suggest that you display only those records the user is allowed to delete, by have this check at query fetch level. (or) add a condition at the UI level not display the delete button if logged in user is same as created by. This is just a suggestion.
Maybe I'm using the wrong terms, but I've been Googling for two days and just can't find anything on this: grouping roles/permissions. Or maybe I don't quite understand membership in the ASP.Net model.
Currently I have a homegrown authentication system in a PHP site, with users, permissions, and roles. Each role (such as "User" or "Technician") is made up of individual permissions (such as "Add New User" or "Close Ticket"). The site is MVC-based, so when the controller action is called, it looks for a basic permission. If not found, it displays an unauthorized page. When it searches for permissions, it looks inside the role groups. However, a user can be a part of the "User" role and have additional permissions without being part of another role.
How would that translate over to MVC2?
The website has a database tables for the user, user_to_permissions, user_to_roles, permissions, roles, and roles_to_permissions. I think the relationships are pretty self-explanatory. I think I'll need to maintain my own database tables for the users, so I'll have custom forms to add/update their info, and obviously a custom login routine.
Can this even work?
RoleProvider "roles" are really just permissions. You can roll them up and present them however you like in your UI (see, for example, AzMan and AuthorizationStoreRoleProvider), but that's up to you. They're not really hierarchical.
We have a multi-tenant system with multiple different levels of access--sometimes even for the same user as they switch between multiple roles. We're beginning a discussion on moving over to a RESTful implementation of things. I'm just starting to get my feet wet with the whole REST thing.
So how do I go about limiting access to the correct records when they access a resource, particularly when taking caching into consideration? If user A access example.com/employees they would receive a different response than user B; user A may even receive a different response as he switches to a different role. To help facilitate caching, should the id of the role be somehow incorporated into the uri? Maybe something like example.com/employees/123 (which violates the rules of REST), or as some sort of subordinate resource like example.com/employees/role/123 (which seems silly, since role/### is going to be appended to URIs all over the place). I can help but think I'm missing something here.
edited to mention multi-tenancy
Having the user credentials act as an out of band resource identifier (ie. presenting different views on the same URL to different roles) will turn nasty down the road. Users and applications exchange URLs between them, things turn sour when that happens and the URL simply returns different content for different credentials.
I would say that each role has a different view of the world, therefore each role should access a different path to the service:
admins connect to example.com/admin/employees
users connect to example.com/users/employees
role foo probably connects to example.com/foo/employees
This way you separate the 'this role sees the world as such and such' part from the 'this view of the world is accessible to role foo' part. An admin can connect to example.com/users/employees and verify how an ordinary user sees the world, w/o the admin having to impersonate a lower privileged alias first.
You can also use the DNS part for same purpose: admin.example.com/employees vs. users.example.com/employees. This is specially viable for a related scenario, when the 'role' is not a security role but a multi-tenant namespace (ie. each service provisioned account gets its own 'view' of the service).