No description, website, or topics provided.
PHP
Switch branches/tags
Nothing to show
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
extensions/adapter/security/access
security
tests
.travis.yml
LICENSE.txt
README.md
composer.json

README.md

Access control adapters

Don't use this in production. It's an early alpha release.

Requirements

  • PHP 5.4
  • This plugin needs li3_behaviors (only if you intend to use the DbAcl adapter).
  • This plugin needs li3_tree (only if you intend to use the DbAcl adapter).
  • This plugin needs li3_fixtures (only if you intend to run DbAcl adapter tests).

Installation

Checkout the code to either of your library directories:

cd libraries
git clone git@github.com:jails/li3_access.git

Include the library in your /app/config/bootstrap/libraries.php

Libraries::add('li3_access');

Presentation

This plugin provide a couple of adapters for managing access control into your application. It can manage simple rule based system as well as access control lists system. Access control lists are a way to manage application permissions in a fine-grained. It's not as fast as rule based system but allow further control on your application/models.

API

Simple adapter:

The simple adapter only checks that the passed data is not empty.

Access::config('simple' => ['adapter' => 'Simple']);
Access::check('rules', ['username' => 'Max']); //return `true`
Access::check('rules', true); //return `true`
Access::check('rules', []); //return `false`

Rule adapter:

The rule adapter check access from a predefinied/custom closure. To use this adapter configure Access like the following:

Access::config('rules', ['adapter' => 'Rules']);

The rules adpater already contains the following rules: 'allowAll', 'denyAll', 'allowAnyUser', 'allowIp'.

Example of use:

$user = Auth::check('auth_config_name');
Access::check('rules', $user, $request, ['rules' => ['allowAnyUser']]);

$user = User::find('first', ['username' => 'psychic']);
Access::check('rules', $user, $request, ['rules' => ['allowAnyUser']]);

Rule with parameters:

Access::check('rules', null, $request,  [
	'rules' => [
		'allowIp' => [
			'ip' => '/10\.0\.1\.\d+/' //parameter to pass to the `'allowIp'` closure.
		]
	]
]);

You can add custom rule on ::config():

Access::config('rules' => [
	'adapter' => 'Rules',
	'rules' => [
		'testDeny' => [
			'message' => 'Access denied.',
			'rule' => function($requester) {
				return false;
			}
		]
	]
]);

or dynamically with:

Access::rules('rules', 'testDeny', function($requester) { return false; }, [
	'message' => 'Access denied.'
]);

DbAcl adapter:

This adapter currently works for only SQL databases (i.e MySQL, PostgreSQL and Sqlite3).

Access::config('acl' => ['adapter' => 'DbAcl']);

Access control lists, or ACL, handle two main things: things that want stuff, and things that are wanted. This is usually represented by:

  • Access Control Object (Aco), i.e. something that is wanted
  • Access Request Object (Aro), i.e. Something that wants something

And beetween Acos and Aros, there's permissions which define the access privileges beetween Aros and Acos.

Above, the schema needed to makes things works out of the box for a MySQL database:

DROP TABLE IF EXISTS `acos`;
CREATE TABLE `acos` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `parent_id` int(10) DEFAULT NULL,
  `class` varchar(255) DEFAULT NULL,
  `fk_id` int(10) DEFAULT NULL,
  `alias` varchar(255) DEFAULT NULL,
  `lft` int(10) DEFAULT NULL,
  `rght` int(10) DEFAULT NULL,
  PRIMARY KEY (`id`)
);


DROP TABLE IF EXISTS `aros`;
CREATE TABLE `aros` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `parent_id` int(10) DEFAULT NULL,
  `class` varchar(255) DEFAULT NULL,
  `fk_id` int(10) DEFAULT NULL,
  `alias` varchar(255) DEFAULT NULL,
  `lft` int(10) DEFAULT NULL,
  `rght` int(10) DEFAULT NULL,
  PRIMARY KEY (`id`)
);


DROP TABLE IF EXISTS `permissions`;
CREATE TABLE `permissions` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `aro_id` int(10) NOT NULL,
  `aco_id` int(10) NOT NULL,
  `privileges` text,
  PRIMARY KEY (`id`)
);

Of course you need to adapt this schema according your own SQL database.

Once Acos and Aros are correctly defined (see test's fixtures for a better understanding of what Acos and Aros looks like).

You can add privileges:

Access::allow('acl', 'admin/max', 'controller/backend', ['read', 'create', 'update', 'delete']);
//or:
Access::allow('acl', 'admin/max', 'controller/backend', 'publish');
//or:
$user = User::find('first', ['username' => 'max']);
Access::allow('acl', $user, 'controller/backend', ['read', 'create', 'update', 'publish']);

You can remove privileges:

Access::deny('acl', 'user/joe', 'controller/backend', ['delete']);

Use Access::check() to check some privileges:

Access::check('acl', 'user/joe', 'controller/backend', ['delete']);

Or Access::get() for recovering all privileges for an Aro/Aco:

Access::get('acl', 'user/joe', 'controller/backend');

Greetings

The li3 team, Tom Maiaroto, Weluse, rich97, CakePHP's ACL, Pamela Anderson and all others which make that possible.

Build status

Build Status