MozillaWiki

Update:Remora Permissions: Difference between revisions

No edit summary
No edit summary
 
(17 intermediate revisions by 3 users not shown)
Line 1: Line 1:
[[Update:Remora|« Back to Update:Remora]]
[[Update:Remora|« Back to Update:Remora]]
= Intro =
== Backdrop ==
* [http://manual.cakephp.org/chapter/acl CakePHP Manual on ACLs].
We tried to use db_acl, but the implementation meant too much overhead for our relatively simple requirements. Mainly we wanted to lock down access by group/role. We opted to go with the [http://www.thinkingphp.org/2006/10/03/a-lightweight-approach-to-acl-the-33-lines-of-magic/ 33 lines of magic] approach which is simpler by design and was [http://en.wikipedia.org/wiki/Mike_Shaver shaver]'s first preferred choice.  Read the blog to see why it can get the job done even if it isn't completely normalized and abstracted.
* [http://www.noswad.me.uk/MiBlog/ACLPart1 ACL blog about DB ACL].
* [http://www.thinkingphp.org/2006/10/03/a-lightweight-approach-to-acl-the-33-lines-of-magic/ A different ACL approach].
* [http://wiki.cakephp.org/docs:acl:introduction CakePHP Wiki intro to DB ACL].


= Definitions =
See also: [[Update:Admins/Groups|AMO User Groups]]
* ACL - Access Control List, this is our list of "what can access what", and is controlled by the aros_acos table.
* ARO - Access Request Object, this is typically a user or any other entity that wants access to something.  Data is found in the aros table.
* ACO - Access Control Object, this is an object that people get access to, like an addon record, category edit, etc.  Data is found in the acos table.


From the Cake manual:
== Permissions ==
  ACL is what is used to decide when an ARO can have access to an ACO.
Formatting permissions is a matter of entering Controller:action permissions in a comma delimited list in either User.rules or Group.rules.  Examples would be:
// Grants access to all Users and Groups controller actions.
Users:*,Groups:*
// Grants access to all possible controllers and actions.
*:*
// Grants access to only Editor actions.
Reviewers:*
// Grants access to only review adding.
Reviews:add
 
Our implementation deviates from the 33 lines of magic approach in two ways:
* aclException checks
* user->group map is a many-to-many relationship using a map table instead of a simple group_id injected into the users table
 
== Using Permissions in Controllers ==
Since ACLs are turned on from app_controller you pick up permissions for free based on Controller:action.  For example, if you're in the Images controller and you're adding an image with the add() action, SimpleAcl will just check group and user permissions for Images:add automatically and deny the user access if it fails.
 
There is a way to do a manual check using the SimpleAcl component.  If you're wanting to use it for display logic or some other use that requires and explicit check, you may need to use this method:
  // Check to see if the user has access to the entire Reviewers controller.
if ($this->SimpleAcl->actionAllowed('Reviewers','*')) {
    // Do something
}
 
// Check to see if the user has access to ANY action in the Reviewers controller.
if ($this->SimpleAcl->actionAllowed('Reviewers', '%')) {
    // Do something
}
 
Normally this would be done in an action.  I was not able to use this in a beforeFilter, because that would access member variables and functions not yet loaded.
* [[User:Fligtar|Fligtar]] 03:33, 30 March 2007 (PDT) If you want to use this in beforeFilter, just add this:
        $this->SimpleAuth->startup($this);
        $this->SimpleAcl->startup($this);
 
== Disabling Permissions in Controllers ==
SimpleAcl and SimpleAuth are instantiated in the app_controller, which means they are loaded for all controllers by default.  This means:
* New controller actions will be locked down by default
* You have to enable them by one of two ways...
 
Add the desired action to aclExeption in your controller:
// Lets the world (even non-logged in users) access view and edit.
var $aclException = array('view','edit');
 
Disable ACL checking for the entire controller:
// Disables all ACL checking for the entire controller.
function beforeFilter {
    $this->SimpleAuth->enabled=false;
    $this->SimpleAcl->enabled=false;
}
 
== Controller Notepad ==
Controllers, actions and their permissions.
 
* addons_controller -- all public -- '''used enabled=false'''
** display
** browse
** home
** browse
** recommended
** policy
** previews
** versions
** rss
 
* developers_controller -- all private (Users) -- '''used enabled=false, checking defaults to existing login/ownership check'''
** index
** summary
** details
** add
** edit
** editVersion
** nominate
** authorLookup
 
* downloads_controller -- all public -- '''used enabled=false'''
** file
 
* editors_controller -- all private (Editors) -- '''added Editors:* to Editors group permissions'''
** index
** queue
** review
** file


= Remora Objects =
* favorites_controller -- (empty)
AROs (things that need access):
* features_controller -- (empty)
* users, with records added individually during creation or registration
* files_controller -- all public '''used enabled=false'''
* groups, parent AROs we can use to define generic permissions for a large subset of users


ACOs (objects we want to control access for, by model):
* groups_controller -- all private (Admins) -- '''added by *:* for admins'''
* addons
** index
* addontypes
** add
* applications
** edit
* approvals
** delete
* blapps
* blitems
* features
* files
* langs
* platforms
* previews
* reviews
* tags
* translations
* users
* versions


= ACL Tables =
* images_controller -- all public -- '''used enabled=false'''
mysql> describe aros;
** setImage ...should not be an action?
+---------+--------------+------+-----+---------+----------------+
** addon_icon
| Field  | Type        | Null | Key | Default | Extra          |     
** addon_preview
+---------+--------------+------+-----+---------+----------------+
** application_icon
| id      | int(11)      |      | PRI | NULL    | auto_increment |
** platform_icon
| user_id | int(11)      | YES  |    | NULL    |                |     
** preview_thumb
| alias  | varchar(255) |      |    |        |                |     
** preview
| lft    | int(11)      | YES  |    | NULL    |                |     
 
| rght    | int(11)      | YES  |    | NULL    |                |     
* legacy_url_controller -- all public -- '''used enabled=false'''
+---------+--------------+------+-----+---------+----------------+
** addonId
5 rows in set (0.00 sec)
** authorId
 
mysql> describe acos;
* pages_controller -- all public -- '''used enabled=false'''
+-----------+--------------+------+-----+---------+----------------+
** display
| Field    | Type        | Null | Key | Default | Extra          |     
+-----------+--------------+------+-----+---------+----------------+
| id        | int(11)      |      | PRI | NULL    | auto_increment |
| object_id | int(11)      | YES  |    | NULL    |                |     
| alias    | varchar(255) |      |    |        |                |     
| lft      | int(11)      | YES  |    | NULL    |                |     
| rght      | int(11)      | YES  |    | NULL    |                |     
+-----------+--------------+------+-----+---------+----------------+
5 rows in set (0.00 sec)
mysql> describe aros_acos;
+---------+---------+------+-----+---------+----------------+
| Field  | Type    | Null | Key | Default | Extra          |     
+---------+---------+------+-----+---------+----------------+
| id      | int(11) |      | PRI | NULL    | auto_increment |
| aro_id  | int(11) | YES  |    | NULL    |                |     
| aco_id  | int(11) | YES  |    | NULL    |                |     
| _create | int(11) |      |    | 0      |                |     
| _read  | int(11) |      |    | 0      |                |     
| _update | int(11) |      |    | 0      |                |     
| _delete | int(11) |      |    | 0      |                |     
+---------+---------+------+-----+---------+----------------+
7 rows in set (0.00 sec)


= Adding Permissions =
* previews_controller -- all private (Users) -- '''defer to login check and ownership check, enalbed=false'''
We will want to check permissions for read/write items in particular.
** add
** edit


= Adding an ACO =
* reviews_controller -- '''used enabled=false'''
** display -- public
** add -- Users only


= Adding an ARO =
* search_controller -- all public -- '''used enabled=false'''
** index
** rss


= Making group AROs =
* users_controller -- '''used enabled=false'''
** index
** register
** verify
** pwreset
** login
** logout
** edit -- Users only
** info

Latest revision as of 00:06, 29 April 2007

« Back to Update:Remora

Backdrop

We tried to use db_acl, but the implementation meant too much overhead for our relatively simple requirements. Mainly we wanted to lock down access by group/role. We opted to go with the 33 lines of magic approach which is simpler by design and was shaver's first preferred choice. Read the blog to see why it can get the job done even if it isn't completely normalized and abstracted.

See also: AMO User Groups

Permissions

Formatting permissions is a matter of entering Controller:action permissions in a comma delimited list in either User.rules or Group.rules. Examples would be: 

// Grants access to all Users and Groups controller actions.
Users:*,Groups:*

// Grants access to all possible controllers and actions.
*:*

// Grants access to only Editor actions.
Reviewers:*

// Grants access to only review adding.
Reviews:add

Our implementation deviates from the 33 lines of magic approach in two ways:

  • aclException checks
  • user->group map is a many-to-many relationship using a map table instead of a simple group_id injected into the users table

Using Permissions in Controllers

Since ACLs are turned on from app_controller you pick up permissions for free based on Controller:action. For example, if you're in the Images controller and you're adding an image with the add() action, SimpleAcl will just check group and user permissions for Images:add automatically and deny the user access if it fails.

There is a way to do a manual check using the SimpleAcl component. If you're wanting to use it for display logic or some other use that requires and explicit check, you may need to use this method: 

// Check to see if the user has access to the entire Reviewers controller.
if ($this->SimpleAcl->actionAllowed('Reviewers','*')) {
    // Do something
}

// Check to see if the user has access to ANY action in the Reviewers controller.
if ($this->SimpleAcl->actionAllowed('Reviewers', '%')) {
    // Do something
}

Normally this would be done in an action. I was not able to use this in a beforeFilter, because that would access member variables and functions not yet loaded.

  • Fligtar 03:33, 30 March 2007 (PDT) If you want to use this in beforeFilter, just add this:
       $this->SimpleAuth->startup($this);
       $this->SimpleAcl->startup($this);

Disabling Permissions in Controllers

SimpleAcl and SimpleAuth are instantiated in the app_controller, which means they are loaded for all controllers by default. This means:

  • New controller actions will be locked down by default
  • You have to enable them by one of two ways...

Add the desired action to aclExeption in your controller: 

// Lets the world (even non-logged in users) access view and edit.
var $aclException = array('view','edit');

Disable ACL checking for the entire controller: 

// Disables all ACL checking for the entire controller.
function beforeFilter {
    $this->SimpleAuth->enabled=false;
    $this->SimpleAcl->enabled=false;
}

Controller Notepad

Controllers, actions and their permissions.

  • addons_controller -- all public -- used enabled=false
    • display
    • browse
    • home
    • browse
    • recommended
    • policy
    • previews
    • versions
    • rss
  • developers_controller -- all private (Users) -- used enabled=false, checking defaults to existing login/ownership check
    • index
    • summary
    • details
    • add
    • edit
    • editVersion
    • nominate
    • authorLookup
  • downloads_controller -- all public -- used enabled=false
    • file
  • editors_controller -- all private (Editors) -- added Editors:* to Editors group permissions
    • index
    • queue
    • review
    • file
  • favorites_controller -- (empty)
  • features_controller -- (empty)
  • files_controller -- all public used enabled=false
  • groups_controller -- all private (Admins) -- added by *:* for admins
    • index
    • add
    • edit
    • delete
  • images_controller -- all public -- used enabled=false
    • setImage ...should not be an action?
    • addon_icon
    • addon_preview
    • application_icon
    • platform_icon
    • preview_thumb
    • preview
  • legacy_url_controller -- all public -- used enabled=false
    • addonId
    • authorId
  • pages_controller -- all public -- used enabled=false
    • display
  • previews_controller -- all private (Users) -- defer to login check and ownership check, enalbed=false
    • add
    • edit
  • reviews_controller -- used enabled=false
    • display -- public
    • add -- Users only
  • search_controller -- all public -- used enabled=false
    • index
    • rss
  • users_controller -- used enabled=false
    • index
    • register
    • verify
    • pwreset
    • login
    • logout
    • edit -- Users only
    • info
Retrieved from "https://wiki.mozilla.org/index.php?title=Update:Remora_Permissions&oldid=55436"