Simplified and manageable ACL implementation in cakephp

0
votes

I went through complete lesson on cakephp's ACL component, but gigantic ACL component do not seem to meet my very simple requirements.

I have only group based access control, three groups are users, managers and administrators the fourth is a anonymous users without logins for which I am not creating any group.

from acl concept it creates three table

aros -> this looks somewhat redundant data copied from groups table, I dont even need to have a group table but just field group_id in users table.

acos -> this is a list of public methods in controllers, I had to use AclExtra plugin to populate over 250+ actions in table, now this is the part which I think un-manageable, I noticed that tool used to populate acos table cannot reliably sync everytime when I do changes in controllers, the same work must be done at remote site for each changes that means terrible thing! this also mean i have to have a database backup during updates and migration.

Other side if I use php file based acos that is again un-manageable because we have to make sure syncing between controller and acl file.

aros_acos -> obviously

can we have a simpler mechanism something like i deny all actions using Auth component and then inside each action or maybe in beforeRender method i can specify what methods are open to what group ?

Thanks

1
cakephpacl
If you only need simple group based access, dont even touch ACL. It's overhead in that case - use a simple approach such as tiny instead. - mark
@mark yes i have realized this is not for this case, instead of helping it will become cumbersome i guess its for be ultra size complex portals - duckduckgo

1 Answers

1
votes

There is an undocumented acl class PhpAcl it is much simpler to use than then the database driven ACL and more dynamic than the ini bassed ACL.

In Config/core.php

/**
 * The class name and database used in CakePHP's
 * access control lists.
 */
Configure::write('Acl.classname', 'PhpAcl');
// Configure::write('Acl.database', 'default');

This tells your ACL to use the PhpAcl

Then open up Config/acl.php

There are some good instructions there

Assumptions:

  1. In your application you created a User model with the following properties: username, group_id, password, email, firstname, lastname and so on.
  2. You configured AuthComponent to authorize actions via $this->Auth->authorize = array('Actions' => array('actionPath' => 'controllers/'),...)

Now, when a user (i.e. jeff) authenticates successfully and requests a controller action (i.e. /invoices/delete) that is not allowed by default (e.g. via $this->Auth->allow('edit') in the Invoices controller) then AuthComponent will ask the configured ACL interface if access is granted. Under the assumptions 1. and 2. this will be done via a call to Acl->check() with

array('User' => array('username' => 'jeff', 'group_id' => 4, ...))

as ARO and

'/controllers/invoices/delete'

as ACO.

I wanted to use static names for Groups or Roles so you can add a role field to your user table, and then set up the $map like this:

 **
 * The role map defines how to resolve the user record from your application
 * to the roles you defined in the roles configuration.
 */
$config['map'] = array(
    'User' => 'User/username',
    'Role' => 'User/role',
);

For my app we aren't using user based permissions only role, so we could remove the User from the $map.

Then you need to set up some roles:

/**
 * role configuration
 */
$config['roles'] = array(
    'Role/admin' => null,
);

Any role not in this array will get 'Role/default'

Now just set up your permissions, they are pretty self explanatory.

/**
 * rule configuration
 */
$config['rules'] = array(
    'allow' => array(
        '*' => 'Role/admin',
        'controllers/Reports/*' => 'Role/default',
        'controllers/EurRates/*' => 'Role/default',
        'controllers/Posts/index' => 'Role/default',
        'controllers/Users/(edit|index)' => 'Role/default',
    ),
    'deny' => array(
        'controllers/ProtectedController/*' => 'Role/default',
        'controllers/EurRates/(edit|add|delete)' => 'Role/default',
        'controllers/Reports/(edit|add|delete)' => 'Role/default',
        ),
);

That's it, now you can allow or deny permission to actions based on role.