Creating fast, dynamic ACLs in Zend Framework
-
Upload
wim-godden -
Category
Technology
-
view
9.908 -
download
2
description
Transcript of Creating fast, dynamic ACLs in Zend Framework
- 1. Creating fast, dynamic ACLs in Zend Framework Wim Godden Cu.be Solutions
2. Who am I ?
- Wim Godden (@wimgtr)
3. Owner of Cu.be Solutions (http://cu.be) 4. PHP developer since 1997 5. Developer of OpenX 6. Zend Certified Engineer 7. Zend Framework Certified Engineer 8. MySQL Certified Developer 9. Talking about...
- Authentication
- -> Zend_Auth
Auditing
- -> Zend_Log
Authorization
- -> Zend_Acl
10. Authorization
- Wikipedia : "the function of specifying access rights to resources"
11. What's a resource ?
- Object (Article, Invoice, Document, )
12. Webpage 13. Database / table / row 14. ... 15. Standard ACL
- Access toresourcesis defined inprivileges
16. Privileges are grouped together inroles 17. 2 types ofroles:
- Anonymous / Unknown
18. Registered / Known 19. Zend_Acl : the good
- Flexible
20. Uses standard role / resource principles
- Recognizable -> easy to get started
No link to specific backend 21. Allow + deny 22. Proven, tested 23. Zend_Acl : the bad & ugly
- Complexity of rules rises quickly
24. Performance issues 25. All rules are in-code 26. -> maintainability becomes an issue 27. Evolution of a portal $acl =newZend_Acl(); $acl->addRole( newZend_Acl_Role( 'guest' )); $acl->addRole( newZend_Acl_Role( 'member' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'admin' ),'member' ); $acl->addResource( newZend_Acl_Resource( 'cms' )); $acl->addResource( newZend_Acl_Resource( 'report' )); $acl->allow( 'guest' ,'cms' ,'view' ); $acl->allow( 'admin' ,'cms' ,'edit' ); $acl->deny( 'guest' ,'report' ); $acl->allow( 'member' ,'report' ); 28. Evolution of a portal $acl =newZend_Acl(); $acl->addRole( newZend_Acl_Role( 'guest' )); $acl->addRole( newZend_Acl_Role( 'departmentA' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentB' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'admin' ),'member' ); $acl->addResource( newZend_Acl_Resource( 'cms' )); $acl->addResource( newZend_Acl_Resource( 'report' )); $acl->allow( 'guest' ,'cms' ,'view' ); $acl->allow( 'admin' ,'cms' ,'edit' ); $acl->deny( 'guest' ,'report' ); $acl->allow( 'departmentA' ,'report' ); 29. Evolution of a portal $acl =newZend_Acl(); $acl->addRole( newZend_Acl_Role( 'guest' )); $acl->addRole( newZend_Acl_Role( 'departmentA' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentB' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentC_senior_staff' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentC_marketing' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'admin' ),'member' ); $acl->addResource( newZend_Acl_Resource( 'cms' )); $acl->addResource( newZend_Acl_Resource( 'report' )); $acl->addResource( newZend_Acl_Resource( 'newsletter' )); $acl->addResource( newZend_Acl_Resource( 'photo' )); $acl->addResource( newZend_Acl_Resource( 'faq' )); $acl->allow( 'guest' ,'cms' ,'view' ); $acl->allow( 'admin' ,'cms' ,'edit' ); $acl->deny( 'guest' ,'report' ); $acl->allow( 'departmentA' ,'report' ); $acl->deny('departmentC_senior_staff', 'newsletter'); $acl->allow('departmentC_marketing', 'newsletter'); $acl->allow('member', 'photo', 'view'); $acl->allow('departmentC_marketing', 'photo', 'upload'); $acl->allow('admin', 'photo', 'delete'); $acl->allow('guest', 'faq', 'view'); $acl->allow('member', 'faq', 'comment'); $acl->allow('departmentA', 'faq', 'edit'); $acl->allow('departmentC_senior_staff', 'faq', 'edit'); $acl->allow('admin', 'faq', 'edit'); 30. Evolution of a portal $acl =newZend_Acl(); $acl->addRole( newZend_Acl_Role( 'guest' )); $acl->addRole( newZend_Acl_Role( 'departmentA' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentB' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentC_senior_staff' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentC_marketing' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'cook' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'admin' ),'member' ); $acl->addResource( newZend_Acl_Resource( 'cms' )); $acl->addResource( newZend_Acl_Resource( 'report' )); $acl->addResource( newZend_Acl_Resource( 'newsletter' )); $acl->addResource( newZend_Acl_Resource( 'photo' )); $acl->addResource( newZend_Acl_Resource( 'faq' )); $acl->addResource( newZend_Acl_Resource( 'invoicing' )); $acl->addResource( newZend_Acl_Resource( 'stats' )); $acl->addResource( newZend_Acl_Resource( 'lunchmenu' )); $acl->allow( 'guest' ,'cms' ,'view' ); $acl->allow( 'admin' ,'cms' ,'edit' ); $acl->deny( 'guest' ,'report' ); $acl->allow( 'departmentA' ,'report' ); $acl->deny('departmentC_senior_staff', 'newsletter'); $acl->allow('departmentC_marketing', 'newsletter'); $acl->allow('member', 'photo', 'view'); $acl->allow('departmentC_marketing', 'photo', 'upload'); $acl->allow('admin', 'photo', 'delete'); $acl->allow('guest', 'faq', 'view'); $acl->allow('member', 'faq', 'comment'); $acl->allow('departmentA', 'faq', 'edit'); $acl->allow('departmentC_senior_staff', 'faq', 'edit'); $acl->allow('admin', 'faq', 'edit'); $acl->allow('admin', 'photo', 'delete'); $acl->allow('guest', 'faq', 'view'); $acl->allow('member', 'faq', 'comment'); $acl->allow('departmentA', 'faq', 'edit'); $acl->allow('departmentC_senior_staff', 'faq', 'edit'); $acl->allow('admin', 'faq', 'edit'); $acl->allow('cook', 'lunchmenu', 'edit'); $acl->allow('member', 'lunchmenu', 'view'); $acl->allow('accounting', 'invoicing', 'edit'); $acl->allow('admin', 'invoicing', 'edit'); $acl->allow('departmentC_senior_staff', 'invoicing', 'report'); 31. Evolution of a portal $acl =newZend_Acl(); $acl->addRole( newZend_Acl_Role( 'guest' )); $acl->addRole( newZend_Acl_Role( 'departmentA' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentB' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentC_senior_staff' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentC_marketing' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'cook' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'admin' ),'member' ); $acl->addResource( newZend_Acl_Resource( 'cms' )); $acl->addResource( newZend_Acl_Resource( 'report' )); $acl->addResource( newZend_Acl_Resource( 'newsletter' )); $acl->addResource( newZend_Acl_Resource( 'photo' )); $acl->addResource( newZend_Acl_Resource( 'faq' )); $acl->addResource( newZend_Acl_Resource( 'invoicing' )); $acl->addResource( newZend_Acl_Resource( 'stats' )); $acl->addResource( newZend_Acl_Resource( 'lunchmenu' )); $acl->allow( 'guest' ,'cms' ,'view' ); $acl->allow( 'admin' ,'cms' ,'edit' ); $acl->deny( 'guest' ,'report' ); $acl->allow( 'departmentA' ,'report' ); $acl->deny('departmentC_senior_staff', 'newsletter'); $acl->allow('departmentC_marketing', 'newsletter'); $acl->allow('member', 'photo', 'view'); $acl->allow('departmentC_marketing', 'photo', 'upload'); $acl->allow('admin', 'photo', 'delete'); $acl->allow('guest', 'faq', 'view'); $acl->allow('member', 'faq', 'comment'); $acl->allow('departmentA', 'faq', 'edit'); $acl->allow('departmentC_senior_staff', 'faq', 'edit'); $acl->allow('admin', 'faq', 'edit'); $acl->allow('admin', 'photo', 'delete'); $acl->allow('guest', 'faq', 'view'); $acl->allow('member', 'faq', 'comment'); $acl->allow('departmentA', 'faq', 'edit'); $acl->allow('departmentC_senior_staff', 'faq', 'edit'); $acl->allow('admin', 'faq', 'edit'); $acl->allow('cook', 'lunchmenu', 'edit'); $acl->allow('member', 'lunchmenu', 'view'); $acl->allow('accounting', 'invoicing', 'edit'); $acl->allow('admin', 'invoicing', 'edit'); $acl->allow('departmentC_senior_staff', 'invoicing', 'report'); 32. Hard to ...
- maintain all rules
33. keep track of the rules 34. debug the rules 35. Possible solution : database
- Extend Zend_Acl to database driven design
36. Good : no code changes required 37. Bad : more load on DB 38. A different approach
- NotTHEsolution, merelyAsolution
39. Uses database, but... 40. Additional caching layer 41. ZF Conventional Modular Directory Structure 42. Backend interface for easy management
- with a twist !
43. Different resources
- Zend_ACL :
$acl->addResource( newZend_Acl_Resource( 'cms' )); $acl->allow( 'guest' ,'cms' ,'view' ); $acl->allow( 'admin' ,'cms' ,'edit' );
- Access to :
- Controller : cms
44. Action : view / edit Why not integrate with the request itself ? 45. Controller plugins 46. Zend_Acl as a controller plugin