2. Who am I ?
3. Owner of Cu.be Solutions (http://cu.be) 4. PHP developer since 1997 5. Developer of OpenX 6. Zend Certified Engineer 7. Zend Framework Certified Engineer 8. MySQL Certified Developer 9. Talking about...
Auditing
Authorization
10. Authorization
11. What's a resource ?
12. Webpage 13. Database / table / row 14. ... 15. Standard ACL
16. Privileges are grouped together inroles 17. 2 types ofroles:
18. Registered / Known 19. Zend_Acl : the good
20. Uses standard role / resource principles
No link to specific backend 21. Allow + deny 22. Proven, tested 23. Zend_Acl : the bad & ugly
24. Performance issues 25. All rules are in-code 26. -> maintainability becomes an issue 27. Evolution of a portal $acl =newZend_Acl(); $acl->addRole( newZend_Acl_Role( 'guest' )); $acl->addRole( newZend_Acl_Role( 'member' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'admin' ),'member' ); $acl->addResource( newZend_Acl_Resource( 'cms' )); $acl->addResource( newZend_Acl_Resource( 'report' )); $acl->allow( 'guest' ,'cms' ,'view' ); $acl->allow( 'admin' ,'cms' ,'edit' ); $acl->deny( 'guest' ,'report' ); $acl->allow( 'member' ,'report' ); 28. Evolution of a portal $acl =newZend_Acl(); $acl->addRole( newZend_Acl_Role( 'guest' )); $acl->addRole( newZend_Acl_Role( 'departmentA' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentB' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'admin' ),'member' ); $acl->addResource( newZend_Acl_Resource( 'cms' )); $acl->addResource( newZend_Acl_Resource( 'report' )); $acl->allow( 'guest' ,'cms' ,'view' ); $acl->allow( 'admin' ,'cms' ,'edit' ); $acl->deny( 'guest' ,'report' ); $acl->allow( 'departmentA' ,'report' ); 29. Evolution of a portal $acl =newZend_Acl(); $acl->addRole( newZend_Acl_Role( 'guest' )); $acl->addRole( newZend_Acl_Role( 'departmentA' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentB' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentC_senior_staff' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentC_marketing' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'admin' ),'member' ); $acl->addResource( newZend_Acl_Resource( 'cms' )); $acl->addResource( newZend_Acl_Resource( 'report' )); $acl->addResource( newZend_Acl_Resource( 'newsletter' )); $acl->addResource( newZend_Acl_Resource( 'photo' )); $acl->addResource( newZend_Acl_Resource( 'faq' )); $acl->allow( 'guest' ,'cms' ,'view' ); $acl->allow( 'admin' ,'cms' ,'edit' ); $acl->deny( 'guest' ,'report' ); $acl->allow( 'departmentA' ,'report' ); $acl->deny('departmentC_senior_staff', 'newsletter'); $acl->allow('departmentC_marketing', 'newsletter'); $acl->allow('member', 'photo', 'view'); $acl->allow('departmentC_marketing', 'photo', 'upload'); $acl->allow('admin', 'photo', 'delete'); $acl->allow('guest', 'faq', 'view'); $acl->allow('member', 'faq', 'comment'); $acl->allow('departmentA', 'faq', 'edit'); $acl->allow('departmentC_senior_staff', 'faq', 'edit'); $acl->allow('admin', 'faq', 'edit'); 30. Evolution of a portal $acl =newZend_Acl(); $acl->addRole( newZend_Acl_Role( 'guest' )); $acl->addRole( newZend_Acl_Role( 'departmentA' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentB' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentC_senior_staff' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentC_marketing' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'cook' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'admin' ),'member' ); $acl->addResource( newZend_Acl_Resource( 'cms' )); $acl->addResource( newZend_Acl_Resource( 'report' )); $acl->addResource( newZend_Acl_Resource( 'newsletter' )); $acl->addResource( newZend_Acl_Resource( 'photo' )); $acl->addResource( newZend_Acl_Resource( 'faq' )); $acl->addResource( newZend_Acl_Resource( 'invoicing' )); $acl->addResource( newZend_Acl_Resource( 'stats' )); $acl->addResource( newZend_Acl_Resource( 'lunchmenu' )); $acl->allow( 'guest' ,'cms' ,'view' ); $acl->allow( 'admin' ,'cms' ,'edit' ); $acl->deny( 'guest' ,'report' ); $acl->allow( 'departmentA' ,'report' ); $acl->deny('departmentC_senior_staff', 'newsletter'); $acl->allow('departmentC_marketing', 'newsletter'); $acl->allow('member', 'photo', 'view'); $acl->allow('departmentC_marketing', 'photo', 'upload'); $acl->allow('admin', 'photo', 'delete'); $acl->allow('guest', 'faq', 'view'); $acl->allow('member', 'faq', 'comment'); $acl->allow('departmentA', 'faq', 'edit'); $acl->allow('departmentC_senior_staff', 'faq', 'edit'); $acl->allow('admin', 'faq', 'edit'); $acl->allow('admin', 'photo', 'delete'); $acl->allow('guest', 'faq', 'view'); $acl->allow('member', 'faq', 'comment'); $acl->allow('departmentA', 'faq', 'edit'); $acl->allow('departmentC_senior_staff', 'faq', 'edit'); $acl->allow('admin', 'faq', 'edit'); $acl->allow('cook', 'lunchmenu', 'edit'); $acl->allow('member', 'lunchmenu', 'view'); $acl->allow('accounting', 'invoicing', 'edit'); $acl->allow('admin', 'invoicing', 'edit'); $acl->allow('departmentC_senior_staff', 'invoicing', 'report'); 31. Evolution of a portal $acl =newZend_Acl(); $acl->addRole( newZend_Acl_Role( 'guest' )); $acl->addRole( newZend_Acl_Role( 'departmentA' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentB' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentC_senior_staff' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentC_marketing' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'cook' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'admin' ),'member' ); $acl->addResource( newZend_Acl_Resource( 'cms' )); $acl->addResource( newZend_Acl_Resource( 'report' )); $acl->addResource( newZend_Acl_Resource( 'newsletter' )); $acl->addResource( newZend_Acl_Resource( 'photo' )); $acl->addResource( newZend_Acl_Resource( 'faq' )); $acl->addResource( newZend_Acl_Resource( 'invoicing' )); $acl->addResource( newZend_Acl_Resource( 'stats' )); $acl->addResource( newZend_Acl_Resource( 'lunchmenu' )); $acl->allow( 'guest' ,'cms' ,'view' ); $acl->allow( 'admin' ,'cms' ,'edit' ); $acl->deny( 'guest' ,'report' ); $acl->allow( 'departmentA' ,'report' ); $acl->deny('departmentC_senior_staff', 'newsletter'); $acl->allow('departmentC_marketing', 'newsletter'); $acl->allow('member', 'photo', 'view'); $acl->allow('departmentC_marketing', 'photo', 'upload'); $acl->allow('admin', 'photo', 'delete'); $acl->allow('guest', 'faq', 'view'); $acl->allow('member', 'faq', 'comment'); $acl->allow('departmentA', 'faq', 'edit'); $acl->allow('departmentC_senior_staff', 'faq', 'edit'); $acl->allow('admin', 'faq', 'edit'); $acl->allow('admin', 'photo', 'delete'); $acl->allow('guest', 'faq', 'view'); $acl->allow('member', 'faq', 'comment'); $acl->allow('departmentA', 'faq', 'edit'); $acl->allow('departmentC_senior_staff', 'faq', 'edit'); $acl->allow('admin', 'faq', 'edit'); $acl->allow('cook', 'lunchmenu', 'edit'); $acl->allow('member', 'lunchmenu', 'view'); $acl->allow('accounting', 'invoicing', 'edit'); $acl->allow('admin', 'invoicing', 'edit'); $acl->allow('departmentC_senior_staff', 'invoicing', 'report'); 32. Hard to ...
33. keep track of the rules 34. debug the rules 35. Possible solution : database
36. Good : no code changes required 37. Bad : more load on DB 38. A different approach
39. Uses database, but... 40. Additional caching layer 41. ZF Conventional Modular Directory Structure 42. Backend interface for easy management
43. Different resources
$acl->addResource( newZend_Acl_Resource( 'cms' )); $acl->allow( 'guest' ,'cms' ,'view' ); $acl->allow( 'admin' ,'cms' ,'edit' );
44. Action : view / edit Why not integrate with the request itself ? 45. Controller plugins 46. Zend_Acl as a controller plugin
Top Related