Skip to content

RBAC

Jump to bottom
Rosario Carvello edited this page Nov 10, 2018 · 35 revisions

WebMVC uses the user role-based security model, known as RBAC, "Role Based Access Control".
RBAC establishes that:

a) Each system user must be authenticated, identified and assigned to an application role (i.e. admin, user, power user and so on).
b) Afterward, a user, after logging in, can access only to web pages that were designed to be having a restricted access only to its own role.
c) Roles can aslo restrict database record operations, like select, insert, update or delete.

WebMVC, let you implementing a),b) and, c) by providing you services for:

  1. Defining and establishing the database tables in which to store: users, credentials, roles, and assignment of a role to users
  2. Implementing a login mechanism for authenticating and identifying users.
  3. Implementing a mechanism to establish that the access for execution of a given controller is allowed only to an authenticated user and/or who has the appropriate role.
  4. Limiting database record operations depending on user role

Database tables for storing: users, credentials, roles, and assignment of a role to users.

You can use the sql\rbac.sql script for automatically creating these tables. The generated tables will also contain sample data for users and roles. User credentials will be given by its email and password and password will be optionlly stored by using md5 one way encryption algorithm. For sample data, all md5 passwords are equal to "password". These tables defines the RBAC design will be automatically used by the framework. Specifically, the framework/User.php class will use tables and data for implementing the following methods that you can/must use during the development of your MVC classes for managing user authentication, login, logout and so on (read comments):

First of all "getter" methods:

<?php

    /**
     * Gets user id. The id is the primary key
     *
     * @return int
     */
    public function getId()

    /**
     * Gets user email. Used for credential
     *
     * @return string
     */
    public function getEmail()

    /**
     * Gets user password. Used for credential
     *
     * @return string (Optionally encrypted by md5 algo)
     */
    public function getPassword()

    /**
     * Gets user role
     *
     * @return int The number identifying user role
     */
    public function getRole()

Here are some useful methods to manage user login and logout:

<?php

    /**
     * Login user
     *
     * @param string $mail User email
     * @param string $password User password
     * @return bool true if login ok, else false
     */
    public function login($email, $password)

    /**
     * Logout user
     *
     * @return bool always true
     */
    public function logout()


    /**
     * Checks if user is logged
     *
     * @return bool True or False
     */
    public function isLogged()
 

    /**
     * Checks if user is logged in. If none it redirects.
     *
     * @param null|string $redirect 
     *                The Controller URL for redirecting when the user is not logged in.
     *                If null it automatically redirects to the default login page.
     * @param null|string $returnLink 
     *                The return link to be used for redirecting  after a successful login 
     *                If null it will be the default login page
     * @param null|string $LoginWarningMessage  
     *                A custom warning message to show when login fail
     *                If null it will be the a default message
     *
     */
    public function checkForLogin($redirect = null, $returnLink= null, $LoginWarningMessage=null)

    /**
     * Auto login by using Cookies
     * Note:
     * It uses ChiperService class to decrypt Cookie
     *
     * @uses ChiperService
     *
     */
    public function autoLoginFromCookies()

If you want to use your own tables to store and manage users and roles you need to instruct WebMVC on how to go to retrieve information. In this case, it will be necessary to modify the file config/security.config.php

<?php

/**
 * security.config.php
 *
 * Main application security configuration parameters.
 * You can change those values according to your security
 * MySQL environment or Chiper preferences
 */

/**
 * Defines the constants for MySQL database User table.
 * Class User uses these information.
 */

/**
 *  Constant for the User MySQL Table
 */
define("USER_TABLE","user");

/**
 *  Defines a constant for INT Primary Key field of the User MySQL Table
 */
define("USER_ID","id_user");

/**
 *  Defines a constant for the UNIQUE email field of the User MySQL Table
 *  Email is used as credential
 */
define("USER_EMAIL","email");

/**
 *  Defines a constant for the password field of the User MySQL Table
 *  Password is used as credential
 */
define("USER_PASSWORD","password");

/**
 *  Defines a constant for the role field of the User MySQL Table
 *  User role defines access levels criteria managed by RBAC Engine
 */
define('USER_ROLE', 'id_access_level');

/**
 *  Defines a constant for Administrator role id
 *
 */
define('ADMIN_ROLE_ID', 100);

/**
 *  Defines a constant for the enable field of the User MySQL Table
 *  User enable field can temporarily disable users. 
 *  Leave blank the value for USER_ENABLED if you don't want to manage the enabling/disabling of users.
 *  Note: User enable database field value must be 1 or -1
 */
define('USER_ENABLED', 'enabled');

WebMVC - PHP Web MVC Framework

Overview

  1. Home
  2. Setup
    1. Apache mod rewrite
    2. Options
  3. Understanding WebMVC

Basic concepts

  1. Controller
    1. Handling of HTTP Request Methods
    2. Controller and OOP
    3. Controller autorun method
  2. View
    1. Dynamic content
    2. Handling placeholders
    3. Handling blocks
    4. Hiding and replacing content
    5. Nesting of blocks
    6. Insight on nesting of blocks
  3. Model
    1. Interacting with MySQL
    2. MySQL ORM
    3. Example of a DB Application

Advanced concepts

  1. System decomposition
    1. Subsystems
    2. Content Based decomposition and HMVC
    3. Decomposition by localization
    4. Skills and technologies decomposition
    5. Component Based Development
    6. Role-based decomposition
  2. Content observing

Securing WebMVC

  1. Security
    1. Authentication
    2. RBAC
    3. ACL
    4. CSRF and XSS
    5. Encryption
    6. Securing your application files

Components

  1. Using components
    1. DataRepeater
    2. Sorter
    3. Paginator
    4. Searcher
    5. Record
    6. TreeList

Helpers

  1. Helpers
    1. Email
    2. File uploader
    3. Session
    4. Cookies

Programming techniques

  1. Logic Hook
    1. Creating your own Hooks
  2. Error Handling

Services development

  1. Services and API development
    1. JSON
    2. REST API

WebMVC Tools

  1. Tools
    1. MVC instance skeleton builder
    2. MySQL ORM builder

Best Practices

  1. WebMVC Best Practices
    1. Naming convention summary
    2. Web development
    3. API development
    4. Mobile development
Clone this wiki locally