Role based access control - correct MVC pattern

Question

I started using the MVC pattern a half year ago, and I still have some misunderstandings.

Now I want to implement a role based access control in my application. However, my question is not about RBAC, it is about MVC.

My implementation of RBAC is this: user->role->permission so every user (ex. userA) can have many roles (ex. reader, editor, admin), and every role can have many permissions (read, update, delete, etc.).

MySQL tables

• users (list of users)
• roles (list of roles)
• permissions (list of permission)
• roles_permissions (list of roles->permissions connections. ex. editor->update)
• users_roles (list of users->roles connections. ex. userA->editor)

Now my question is How should I implement this in MVC? Have a separate model for: users, roles, permissions, roles_permissions, users_roles, than have an authManager class that creates users, roles, permission, roles_permissions, and user_roles? Is this way correct? Is there a better, maybe more elegant way?

Answer 1

Basically I'd stick with one of many already existing Kohana ACL libraries instead of writing your own (or at least try them to see if they fit to your needs).

You may want to check this thread (Wouter A1, A2 and ACL modules) - http://forum.kohanaframework.org/discussion/1988/releases-a1-authentication-acl-acl-for-kohana-a2-object-level-authorization/p1
It's being constantly updated and maintained and it's available for 3.2 version as well.

If you feel Wouter modules are complicated, you can also check Vendo ACL module which is very simple and removes a lot of complications - https://github.com/vendo/acl
Examples how to use it - http://forum.kohanaframework.org/discussion/9517/getting-started-with-vendo-acl/p1

Answer 2

You'll typically want to use an ACL library/class for this since it's ACL you are describing. I don't know Kohana but from a quick google i've found this Kohana ACL library. https://github.com/synapsestudios/kohana-acl

But basically you'll indeed need models to manage your separate entities in the ACL libraries like users, roles and permissions. Then talk to the ACL-api in your controllers or other libraries to determine access to particular parts of your app.

Answer 3

I'm copy/pasting the code of KohanaPHP's main application controller assuming that we have Zend_ACL already included.

Please note I have user-based permissions, not group-based one... Though this can be easily edited.

<?php

defined('SYSPATH') OR exit('No direct script access.');

class Controller_Application extends Controller_Template
{

    protected static $acl;
    public $template = 'default';

    public function before()
    {
        parent::before();
        session_start();
        self::$acl = new Zend_Acl();
        $this->set_permissions($_SESSION['userid']);
    }

    protected function check_access($resource, $privilege, $redirect = TRUE)
    {
        $permission = (self::$acl->has($resource) AND self::$acl->isAllowed($_SESSION['userid'], $resource, $privilege));
        if (!$permission AND $redirect)
            $this->request->redirect('user/denied');
        elseif (!$permission AND !$redirect)
            return FALSE;
        elseif ($permission AND !$redirect)
            return TRUE;
    }

    protected function set_permissions($user_id)
    {
        $result = DB::select()
            ->from('permissions')
            ->where('user_id', '=', $user_id)
            ->execute()
            ->as_array();
        self::$acl->addRole(new Zend_Acl_Role($user_id));
        foreach ($result AS $permission)
        {
            if (!self::$acl->has($permission['resource']))
                self::$acl->add(new Zend_Acl_Resource($permission['resource']));
            self::$acl->allow($user_id, $permission['resource'], $permission['privilege']);
        }
    }
}

?>

Then I check access in controllers like this: $this->check_access('events', 'add');.

Answer 4

I know the trail is cold, but a new project has popped up :

PHP-RBAC is a PHP Hierarchical NIST Level 2 Standard Role Based Access Control and is pretty mature. It is also an OWASP project.

I hope you enjoy it at http://phprbac.net

it is used in jframework in a way that is the standard way of incorporating RBAC in a MVC pattern.