ACL implementation

Posted by Kirzilla on Stack Overflow See other posts from Stack Overflow or by Kirzilla
Published on 2010-08-07T11:11:02Z Indexed on 2012/03/24 17:29 UTC
Read the original article Hit count: 225

Filed under:
|
|
|

First question

Please, could you explain me how simpliest ACL could be implemented in MVC.

Here is the first approach of using Acl in Controller...

<?php
class MyController extends Controller {

  public function myMethod() {        
    //It is just abstract code
    $acl = new Acl();
    $acl->setController('MyController');
    $acl->setMethod('myMethod');
    $acl->getRole();
    if (!$acl->allowed()) die("You're not allowed to do it!");
    ...    
  }

}
?>

It is very bad approach, and it's minus is that we have to add Acl piece of code into each controller's method, but we don't need any additional dependencies!

Next approach is to make all controller's methods private and add ACL code into controller's __call method.

<?php
class MyController extends Controller {

  private function myMethod() {
    ...
  }

  public function __call($name, $params) {
    //It is just abstract code
    $acl = new Acl();
    $acl->setController(__CLASS__);
    $acl->setMethod($name);
    $acl->getRole();
    if (!$acl->allowed()) die("You're not allowed to do it!");
    ...   
  }

}
?>

It is better than previous code, but main minuses are...

  • All controller's methods should be private
  • We have to add ACL code into each controller's __call method.

The next approach is to put Acl code into parent Controller, but we still need to keep all child controller's methods private.

What is the solution? And what is the best practice? Where should I call Acl functions to decide allow or disallow method to be executed.

Second question

Second question is about getting role using Acl. Let's imagine that we have guests, users and user's friends. User have restricted access to viewing his profile that only friends can view it. All guests can't view this user's profile. So, here is the logic..

  • we have to ensure that method being called is profile
  • we have to detect owner of this profile
  • we have to detect is viewer is owner of this profile or no
  • we have to read restriction rules about this profile
  • we have to decide execute or not execute profile method

The main question is about detecting owner of profile. We can detect who is owner of profile only executing model's method $model->getOwner(), but Acl do not have access to model. How can we implement this?

I hope that my thoughts are clear. Sorry for my English.

Thank you.

© Stack Overflow or respective owner

Related posts about php

Related posts about mvc