2. Who am I ?
3. Owner of Cu.be Solutions (http://cu.be) 4. PHP developer since 1997 5. Developer of OpenX 6. Zend Certified Engineer 7. Zend Framework Certified Engineer 8. MySQL Certified Developer 9. Talking about...
Auditing
Authorization
10. Authorization
11. What's a resource ?
12. Webpage 13. Database / table / row 14. ... 15. Standard ACL
16. Privileges are grouped together inroles 17. 2 types ofroles:
18. Registered / Known 19. Within Zend Framework : Zend_Acl
20. Uses standard role, resource principles 21. Zend_Acl : the good
22. No link to specific backend 23. Allow + deny 24. Proven, tested 25. Zend_Acl : the bad & ugly
26. Performance issues 27. All rules are in-code 28. -> maintainability becomes an issue 29. Evolution of a portal $acl =newZend_Acl(); $acl->addRole( newZend_Acl_Role( 'guest' )); $acl->addRole( newZend_Acl_Role( 'member' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'admin' ),'member' ); $acl->addResource( newZend_Acl_Resource( 'cms' )); $acl->addResource( newZend_Acl_Resource( 'report' )); $acl->allow( 'guest' ,'cms' ,'view' ); $acl->allow( 'admin' ,'cms' ,'edit' ); $acl->deny( 'guest' ,'report' ); $acl->allow( 'member' ,'report' ); 30. Evolution of a portal $acl =newZend_Acl(); $acl->addRole( newZend_Acl_Role( 'guest' )); $acl->addRole( newZend_Acl_Role( 'departmentA' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentB' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'admin' ),'member' ); $acl->addResource( newZend_Acl_Resource( 'cms' )); $acl->addResource( newZend_Acl_Resource( 'report' )); $acl->allow( 'guest' ,'cms' ,'view' ); $acl->allow( 'admin' ,'cms' ,'edit' ); $acl->deny( 'guest' ,'report' ); $acl->allow( 'departmentA' ,'report' ); 31. Evolution of a portal $acl =newZend_Acl(); $acl->addRole( newZend_Acl_Role( 'guest' )); $acl->addRole( newZend_Acl_Role( 'departmentA' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentB' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentC_senior_staff' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentC_marketing' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'admin' ),'member' ); $acl->addResource( newZend_Acl_Resource( 'cms' )); $acl->addResource( newZend_Acl_Resource( 'report' )); $acl->addResource( newZend_Acl_Resource( 'newsletter' )); $acl->addResource( newZend_Acl_Resource( 'photo' )); $acl->addResource( newZend_Acl_Resource( 'faq' )); $acl->allow( 'guest' ,'cms' ,'view' ); $acl->allow( 'admin' ,'cms' ,'edit' ); $acl->deny( 'guest' ,'report' ); $acl->allow( 'departmentA' ,'report' ); $acl->deny('departmentC_senior_staff', 'newsletter'); $acl->allow('departmentC_marketing', 'newsletter'); $acl->allow('member', 'photo', 'view'); $acl->allow('departmentC_marketing', 'photo', 'upload'); $acl->allow('admin', 'photo', 'delete'); $acl->allow('guest', 'faq', 'view'); $acl->allow('member', 'faq', 'comment'); $acl->allow('departmentA', 'faq', 'edit'); $acl->allow('departmentC_senior_staff', 'faq', 'edit'); $acl->allow('admin', 'faq', 'edit'); 32. Evolution of a portal $acl =newZend_Acl(); $acl->addRole( newZend_Acl_Role( 'guest' )); $acl->addRole( newZend_Acl_Role( 'departmentA' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentB' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentC_senior_staff' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentC_marketing' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'cook' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'admin' ),'member' ); $acl->addResource( newZend_Acl_Resource( 'cms' )); $acl->addResource( newZend_Acl_Resource( 'report' )); $acl->addResource( newZend_Acl_Resource( 'newsletter' )); $acl->addResource( newZend_Acl_Resource( 'photo' )); $acl->addResource( newZend_Acl_Resource( 'faq' )); $acl->addResource( newZend_Acl_Resource( 'invoicing' )); $acl->addResource( newZend_Acl_Resource( 'stats' )); $acl->addResource( newZend_Acl_Resource( 'lunchmenu' )); $acl->allow( 'guest' ,'cms' ,'view' ); $acl->allow( 'admin' ,'cms' ,'edit' ); $acl->deny( 'guest' ,'report' ); $acl->allow( 'departmentA' ,'report' ); $acl->deny('departmentC_senior_staff', 'newsletter'); $acl->allow('departmentC_marketing', 'newsletter'); $acl->allow('member', 'photo', 'view'); $acl->allow('departmentC_marketing', 'photo', 'upload'); $acl->allow('admin', 'photo', 'delete'); $acl->allow('guest', 'faq', 'view'); $acl->allow('member', 'faq', 'comment'); $acl->allow('departmentA', 'faq', 'edit'); $acl->allow('departmentC_senior_staff', 'faq', 'edit'); $acl->allow('admin', 'faq', 'edit'); $acl->allow('admin', 'photo', 'delete'); $acl->allow('guest', 'faq', 'view'); $acl->allow('member', 'faq', 'comment'); $acl->allow('departmentA', 'faq', 'edit'); $acl->allow('departmentC_senior_staff', 'faq', 'edit'); $acl->allow('admin', 'faq', 'edit'); $acl->allow('cook', 'lunchmenu', 'edit'); $acl->allow('member', 'lunchmenu', 'view'); $acl->allow('accounting', 'invoicing', 'edit'); $acl->allow('admin', 'invoicing', 'edit'); $acl->allow('departmentC_senior_staff', 'invoicing', 'report'); 33. Evolution of a portal $acl =newZend_Acl(); $acl->addRole( newZend_Acl_Role( 'guest' )); $acl->addRole( newZend_Acl_Role( 'departmentA' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentB' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentC_senior_staff' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'departmentC_marketing' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'cook' ),'guest' ); $acl->addRole( newZend_Acl_Role( 'admin' ),'member' ); $acl->addResource( newZend_Acl_Resource( 'cms' )); $acl->addResource( newZend_Acl_Resource( 'report' )); $acl->addResource( newZend_Acl_Resource( 'newsletter' )); $acl->addResource( newZend_Acl_Resource( 'photo' )); $acl->addResource( newZend_Acl_Resource( 'faq' )); $acl->addResource( newZend_Acl_Resource( 'invoicing' )); $acl->addResource( newZend_Acl_Resource( 'stats' )); $acl->addResource( newZend_Acl_Resource( 'lunchmenu' )); $acl->allow( 'guest' ,'cms' ,'view' ); $acl->allow( 'admin' ,'cms' ,'edit' ); $acl->deny( 'guest' ,'report' ); $acl->allow( 'departmentA' ,'report' ); $acl->deny('departmentC_senior_staff', 'newsletter'); $acl->allow('departmentC_marketing', 'newsletter'); $acl->allow('member', 'photo', 'view'); $acl->allow('departmentC_marketing', 'photo', 'upload'); $acl->allow('admin', 'photo', 'delete'); $acl->allow('guest', 'faq', 'view'); $acl->allow('member', 'faq', 'comment'); $acl->allow('departmentA', 'faq', 'edit'); $acl->allow('departmentC_senior_staff', 'faq', 'edit'); $acl->allow('admin', 'faq', 'edit'); $acl->allow('admin', 'photo', 'delete'); $acl->allow('guest', 'faq', 'view'); $acl->allow('member', 'faq', 'comment'); $acl->allow('departmentA', 'faq', 'edit'); $acl->allow('departmentC_senior_staff', 'faq', 'edit'); $acl->allow('admin', 'faq', 'edit'); $acl->allow('cook', 'lunchmenu', 'edit'); $acl->allow('member', 'lunchmenu', 'view'); $acl->allow('accounting', 'invoicing', 'edit'); $acl->allow('admin', 'invoicing', 'edit'); $acl->allow('departmentC_senior_staff', 'invoicing', 'report'); 34. Hard to ...
35. keep track of the rules 36. debug the rules 37. Possible solution : database
38. Good : no code changes required 39. Bad : more load on DB 40. A different approach
41. Uses database, but... 42. Additional caching layer 43. ZF Conventional Modular Directory Structure 44. Backend interface for easy management 45. Different resources
$acl->addResource( newZend_Acl_Resource( 'cms' )); $acl->allow( 'guest' ,'cms' ,'view' ); $acl->allow( 'admin' ,'cms' ,'edit' );
46. Action : view / edit Why not integrate with the request itself ? 47. Controller plugins 48. Zend_Acl as a controller plugin