The vmware-vdiskmanager.exe that comes with VMware Server can defrag and shrink your virtual drives.. But to make life easier check out these automated BAT files someones written to help out with the tasks. But remember not run this on VM’s that have snapshots!!

I’m involved in the development of a large web application (using Zend Framework) with many different types of entities inside! Some functions performed on these entities should be accessible to some users but not others… To make things more interesting users can assign other users with rights to these entities…

We’re going for a hands off user administration model where users register themselves, create things themselves, and give other users access to them.. THEMSELVES!

This article is Part 1 of many as I design and create a Zend Controller Plugin designed in simple terms to check if the user is allow to do whatever the hell they’re trying to do… I’d like to reuse it forever and a day though, so we need more functionality and flexibility…. My list of requirements goes on:

• Simplified everything - Can we use 1 line to kick off all ACL checks?
  No one likes having to include the ACL checking at the top of everything, and worse yet implicitly define what it is the page does, or who should access it… So we’ll require none of this!!
• Anonymous users should not be discriminated against!
  Anonymous users should be treated just like any other authenticated user - their access should be checked using the same process, and stored in the same manner! Examples of benefits:
  • Simplifies management the ‘anonymous user’ by using a normal role.
  • Logging (e.g. Ann performed this action) and metadata (e.g. updated by Ann) functions don’t need to cater for the irregularity of an ‘unknown’ user.
  • Explicit access to entities can checked/stored in the same way as normal users. For example - I want to make my Social networking profile publically viewable.

• Users should have generic roles!
  This means even though some users may not have implicit access to some entities, they can still have access! This is a more typically found smaller applications so definitely needs to be included.. Some example usage scenarios are:
  • Administrators - Access to everything!
  • Support staff - Application support staff may need to see ’stuff’; manage user accounts.
  • Moderators/Editors - Can approve anything/Can edit anything.
  • Anonymous - Allowed to see log in page.

• Users might have explicit privileges to supercede generic ones!
  This provides a way for use to either grant or restrict access to specific entities regardless of the users generic role. An example scenarios:
  • “Support staff” should b restricted from managing Administer accounts.
  • A user by default can’t edit ‘comments’, but can edit their own.

• Actions can depend on actions too!
  If a user has permission to perform a certain action, there may be other actions they should also have access to automatically. Example scenarios:
  • The ‘Register user’ action uses another action for AJAX validatio
  • The ‘Latest news’ action has an equivalent RSS/ATOM feed through another action

• Required ID checking for actions (soo not typically in scope, I know!)
  I need to explore this idea a little further (I’m not sure it will make the cut yet)… This typically wouldn’t be included in scope for a access control class! BUT… In this ACL model we’ll allow for checking if a user has access an perform an action on a specific entity. And we need to know the entity’s ID and what the entity is right?… So it seems only logically to store what actions REQUIRE what types of entity ID’s… Maybe we’ll go so far as to check they exist?

Assumptions

I’ll never have access requirements more specific than the action being requested!

Basically my ACL will define a users permission (ie. can access OR can’t access) to a specific action and its relationship with an entity if applicable. It will not be able to say a user can only partially see/run the action.

This will likely however still be achievable within this application itself. But it’s definitely outside of the scope of this particular Controller Plugin.

By ‘action’ I mean the standard route in Zend Framework (ie. Module/Controller/Action). So we’ll assume I’ll always be using it…

End note

Obviously every project always has unique requirements so I don’t anticipate what I’m working on will suit EVERYONE… But considering I’m designing this for maximum reused I would very much appreciate hearing the many weird and unique access control requirements you’ve encountered.

While I’m working on it I would like to incorporate the anything that is realistically reusable…

Having trouble with permissions to a file on Windows XP? So was I even though I was logged as an Administrator.. the same account which created the file.. the permissions hadn’t been modified.. Even worse the files locked were a virtual server I had spent days configuring!

The process to fix it was actually quite simple but took awhile to find:

1. Download SubInACL from Microsoft and install it.
2. Using notepad create a file in the SubInACL.exe directory called “reset.cmd”.
3. Paste the following commands in to this file then run it.

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f
 
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=system=f

Without reading in to these commands too much I suspect I didn’t need to use them all. But I figured that the Administrators and Systems accounts should have access to everything right? The security conscious paranoid man in me now questions, but its too late so I’m suppressing the voice!

Version control (also known as Revision control or Source control) is the management of different versions of files. I don’t know how large development teams could survive without it! Typically they all have one thing in common they help multiple developers contribute to a single project using an central server.

But how can it help? Have you ever worked on a project with someone else and had your files overwrite your files? Or constantly had pop your head over the fence to say “I’m going to work on file abc.xyz, okay?“. Preventing this is the selling point for me!

Version control systems can achieve this in either of the following ways:

• Locking - The simplest style is locking a file so only one person can modify it at a time. A file is checked out by one person then later checked back in.
• Merging - The more productive method merges multiple versions together. This way two people can work on the one file at the same time merging their changes when finished.

I’m going to concentrate on merging although locking is not without it’s benefits. Regardless of your system you should be familiar with some techniques used. This includes the conventional directory structure:

/branches/
/tags/
/trunk/

Or if you choose to have multiple projects in the one version control project:

/project-1/branches/
/project-1/tags/
/project-1/trunk/
/project-2/branches/
/project-2/tags/
/project-2/trunk/

Each of these top level directories has a specific purpose:

• Trunk - Where you’ll find the main line of development. Which is basically the primary repository for your code!
• Branches - Can contain multiple branches, each once a copy of the trunk that has branched off into a separate line of development.
• Tags - Contains tagged (as in with a friendly name) copies of the trunk from a specific point in time. Primarily used for taking snap shots of your released versions.

Branches can be used in two ways in my opinion:

• a unique development line never intended to be merged with the trunk - an example being one client has unique needs not beneficial to others.
• a development line which is intended to be merged with the trunk, but requires significant work which might have caused disruptions to progress on the trunk.

Where and how you work depends on your project, development team and what you’re working on!! A branch could be used for each developer working on a separate component not yet ready to be placed in the trunk. Alternatively smaller teams maybe comfortable all working in the trunk directly.

The sequence diagram below shows how a user might create a branch of the trunk and continue to work on it until merging it back in to the trunk.

A good practice shown above, is to merge the trunk into the branch periodically. This makes the process of finally merging the branch into the trunk more manageable! Additionally you should do this again immediately before merging your branch into the main line of development once it’s complete…

There are a number of different systems, my preferred is Subversion (SVN) , another common one is Concurrent Versions System (CVS)… Here are some websites that helped me get my head around this:

• The Top Ten Subversion Tips for CVS Users
• Version Control with Subversion - Branching and Merging
• Revision control - Wikipedia

I’m reasonably new to this so… Please let me know if you’re aware of any corrections required to the above!

Currently Zend_Auth won’t work if you’re using a Micrsoft SQL Server database for storing your account credentials.

This is because of a bug in the \Zend\Auth\Adapter\DbTable.php specifically in the authenticate() function. The SQL Statement it generates is not MS SQL friendly:

SELECT "users".*, "credential" = 'mypass' AS zend_auth_credential_match
FROM "users"
WHERE ("identity" = 'me')

Consequently causing the following error:

Incorrect syntax near the keyword 'AS'.

The good news is the code below can be used as a replacement in this function until the Zend Framework team get a chance to fix it themselves. It has been tested in MS SQL 2005 but I imagine it should work well in another DB (but test this yourself and comment back!).

// build credential expression
if (empty($this->_credentialTreatment) || (strpos($this->_credentialTreatment, "?") === false)) {
    $this->_credentialTreatment = '?';
}
 
$credentialExpression = new Zend_Db_Expr(
    $this->_zendDb->quoteInto('(CASE WHEN '
        . $this->_zendDb->quoteIdentifier($this->_credentialColumn)
        . '=' . $this->_credentialTreatment, $this->_credential)
        . ' THEN 1 ELSE 0 END) '
        . ' AS ' . $this->_zendDb->quoteIdentifier('zend_auth_credential_match'));
 
// get select
$dbSelect = $this->_zendDb->select();
$dbSelect->from($this->_tableName, array('*', $credentialExpression))
         ->where($this->_zendDb->quoteIdentifier($this->_identityColumn) . ' = ?', $this->_identity);

The code above generates the following MS SQL friendly SQL statement:

SELECT "users".*, CASE WHEN "credential" = 'mypass' THEN 1 ELSE 0 END AS zend_auth_credential_match
FROM "users"
WHERE ("identity" = 'me')

There is an issue open with the team if you’re interested in reading it (and please vote for it to be resolved).