Skip to content

Latest commit

 

History

History
153 lines (138 loc) · 4.94 KB

README.md

File metadata and controls

153 lines (138 loc) · 4.94 KB

#DbAcl package for FuelPHP

Description

DbAcl extends standard Fuel's Auth package providing more complex ACL stored entirely in database.

Features

  • Separate roles sets for every namespace
  • Multiple permissions per user
  • Multiple groups per user
  • Multiple permissions per group

Installation

  • Make sure Auth package is configured and working
  • Clone / download DbAcl into PKGPATH/dbacl/
  • Copy config file PKGPATH/dbacl/config/dbacl.php into APPPATH/config/ directory and edit it as you wish
  • Load DbAcl
    • by adding DbAcl to always_load array inside your application config.php
    'always\_load'  => array(
          'packages'  => array(
              'auth',
              'dbacl',
),
    • by replacing auth package in always_load array (DbAcl will load it automatically)
    • 



'always_load'  => array(
'packages'  => array(
'dbacl',
),



    

  • or using Package class
    • 


  
\Package::load('dbacl');



    

  • Create required database tables

      

    • using migrations with oil
      • 

    

    • 



php oil refine migrate:up --packages=dbacl



    

  • or manually importing shema.sql
    • 



Configuration


Apart of obvious settings you can decide which users are being treated as superusers with access to anything without even checking if resource / role exists.
In this example, users with ID 1 and 2 have access to anything with no further checks:


'superusers' => array(1, 2),



Never insert 0 here if you have guest_login enabled (ID of guest = 0).


Usage


For now DbAcl has only one static method which check access of currently logged in user: 
bool DbAcl::has_access(string $class_name, string $method_name, string $role_name)



  

    ParametersParamDescription
  

  

    $class_namename of class with its namespace (useful with HMVC modules), when no namespace provided Main\ will be useed
  

  

    $method_namename of method that we chack access to
  

  

    $role_namename of role that we require, role have to be defined inside namespace
  




if (DbAcl::has_access('Module\\Controller_Settings', 'save', 'test1'))
{
	//user has access to Module\Controller_Settings::save() with role "test1"
}
else
{
	//sorry
}



Definitions


Role


Every role is assigned to namespace and can be used only under this specific namespace. Roles with the same name but under different namespaces are NOT  equals.


//role "test1" is defined and user has access
var_dump(DbAcl::has_access('Module\\Settings', 'save', 'test1'));
//role "test1" is not defined under this namespace
var_dump(DbAcl::has_access('Main\\Example', 'index', 'test1'));



bool(true)
bool(false)



Resource


Resource is one method inside one class under one namespace.


Permission


Permission stores information about


    

  • User / group it belongs to
    • 

  • Resource that access is being granted to
    • 

  • Role on which access it allowed
    • 



Every information is stored as ID number of row inside individual table and needs to point to existing row or has_access method will return false.


How to...


...create new role?


Every namespace need to define its own set of rules. One of first things done by has_access method is check if given role exists under given namespace.
Creating new role is just simple insert:


list($insert_id, $rows_affected) = \DB::insert('dbacl_role')
		->columns(array('namespace', 'name'))
		->values(array('Main\\', 'make_magic'))
		->execute();



...create new group?


Similar to creating new role this is one insert too:


list($insert_id, $rows_affected) = \DB::insert('dbacl_group')
		->columns(array('name'))
		->values(array('VIPs'))
		->execute();



...create new resource?


Another simple insert:


list($insert_id, $rows_affected) = \DB::insert('dbacl_resource')
		->columns(array('namespace', 'class', 'method'))
		->values(array('Main\\', 'Controller_Admin', 'dashboard'))
		->execute();



...add new access permission to group?


First we need to get required IDs from database:


    

  • ID of group that we want to add permission to
    • 

  • ID of resource which we give access to
    • 

  • ID of role
    • 



Then just insert them in into group_premission table


list($insert_id, $rows_affected) = \DB::insert('dbacl_group_permission')
		->columns(array('group_id', 'resource_id', 'role_id'))
		->values(array($group_id, $resource_id, $role_id))
		->execute();



...add new access permission directly to user?


Likewise adding permission to a group we need to make database insert, only difference is user_id instead of group_id and of course different table is being used


list($insert_id, $rows_affected) = \DB::insert('dbacl_user_permission')
		->columns(array('user_id', 'resource_id', 'role_id'))
		->values(array($user_id, $resource_id, $role_id))
		->execute();