I’m involved in the development of a large web application (using Zend Framework) with many different types of entities inside! Some functions performed on these entities should be accessible to some users but not others… To make things more interesting users can assign other users with rights to these entities…

We’re going for a hands off user administration model where users register themselves, create things themselves, and give other users access to them.. THEMSELVES!

This article is Part 1 of many as I design and create a Zend Controller Plugin designed in simple terms to check if the user is allow to do whatever the hell they’re trying to do… I’d like to reuse it forever and a day though, so we need more functionality and flexibility…. My list of requirements goes on:

• Simplified everything - Can we use 1 line to kick off all ACL checks?
  No one likes having to include the ACL checking at the top of everything, and worse yet implicitly define what it is the page does, or who should access it… So we’ll require none of this!!
• Anonymous users should not be discriminated against!
  Anonymous users should be treated just like any other authenticated user - their access should be checked using the same process, and stored in the same manner! Examples of benefits:
  • Simplifies management the ‘anonymous user’ by using a normal role.
  • Logging (e.g. Ann performed this action) and metadata (e.g. updated by Ann) functions don’t need to cater for the irregularity of an ‘unknown’ user.
  • Explicit access to entities can checked/stored in the same way as normal users. For example - I want to make my Social networking profile publically viewable.

• Users should have generic roles!
  This means even though some users may not have implicit access to some entities, they can still have access! This is a more typically found smaller applications so definitely needs to be included.. Some example usage scenarios are:
  • Administrators - Access to everything!
  • Support staff - Application support staff may need to see ’stuff’; manage user accounts.
  • Moderators/Editors - Can approve anything/Can edit anything.
  • Anonymous - Allowed to see log in page.

• Users might have explicit privileges to supercede generic ones!
  This provides a way for use to either grant or restrict access to specific entities regardless of the users generic role. An example scenarios:
  • “Support staff” should b restricted from managing Administer accounts.
  • A user by default can’t edit ‘comments’, but can edit their own.

• Actions can depend on actions too!
  If a user has permission to perform a certain action, there may be other actions they should also have access to automatically. Example scenarios:
  • The ‘Register user’ action uses another action for AJAX validatio
  • The ‘Latest news’ action has an equivalent RSS/ATOM feed through another action

• Required ID checking for actions (soo not typically in scope, I know!)
  I need to explore this idea a little further (I’m not sure it will make the cut yet)… This typically wouldn’t be included in scope for a access control class! BUT… In this ACL model we’ll allow for checking if a user has access an perform an action on a specific entity. And we need to know the entity’s ID and what the entity is right?… So it seems only logically to store what actions REQUIRE what types of entity ID’s… Maybe we’ll go so far as to check they exist?

Assumptions

I’ll never have access requirements more specific than the action being requested!

Basically my ACL will define a users permission (ie. can access OR can’t access) to a specific action and its relationship with an entity if applicable. It will not be able to say a user can only partially see/run the action.

This will likely however still be achievable within this application itself. But it’s definitely outside of the scope of this particular Controller Plugin.

By ‘action’ I mean the standard route in Zend Framework (ie. Module/Controller/Action). So we’ll assume I’ll always be using it…

End note

Obviously every project always has unique requirements so I don’t anticipate what I’m working on will suit EVERYONE… But considering I’m designing this for maximum reused I would very much appreciate hearing the many weird and unique access control requirements you’ve encountered.

While I’m working on it I would like to incorporate the anything that is realistically reusable…

Currently Zend_Auth won’t work if you’re using a Micrsoft SQL Server database for storing your account credentials.

This is because of a bug in the \Zend\Auth\Adapter\DbTable.php specifically in the authenticate() function. The SQL Statement it generates is not MS SQL friendly:

SELECT "users".*, "credential" = 'mypass' AS zend_auth_credential_match
FROM "users"
WHERE ("identity" = 'me')

Consequently causing the following error:

Incorrect syntax near the keyword 'AS'.

The good news is the code below can be used as a replacement in this function until the Zend Framework team get a chance to fix it themselves. It has been tested in MS SQL 2005 but I imagine it should work well in another DB (but test this yourself and comment back!).

// build credential expression
if (empty($this->_credentialTreatment) || (strpos($this->_credentialTreatment, "?") === false)) {
    $this->_credentialTreatment = '?';
}
 
$credentialExpression = new Zend_Db_Expr(
    $this->_zendDb->quoteInto('(CASE WHEN '
        . $this->_zendDb->quoteIdentifier($this->_credentialColumn)
        . '=' . $this->_credentialTreatment, $this->_credential)
        . ' THEN 1 ELSE 0 END) '
        . ' AS ' . $this->_zendDb->quoteIdentifier('zend_auth_credential_match'));
 
// get select
$dbSelect = $this->_zendDb->select();
$dbSelect->from($this->_tableName, array('*', $credentialExpression))
         ->where($this->_zendDb->quoteIdentifier($this->_identityColumn) . ' = ?', $this->_identity);

The code above generates the following MS SQL friendly SQL statement:

SELECT "users".*, CASE WHEN "credential" = 'mypass' THEN 1 ELSE 0 END AS zend_auth_credential_match
FROM "users"
WHERE ("identity" = 'me')

There is an issue open with the team if you’re interested in reading it (and please vote for it to be resolved).

There’s a lot of buzz with Frameworks and Libraries these days, and rightly so, without them some projects I’ve worked on would still be under construction!!! Developing with frameworks and libraries will save you time in both development and testing.

The abundance of functionality some provide often mean you’ll end up with a better end product. Not all clients can afford the time and money required to have developers work from the ground up. With the benefits of useful frameworks/libraries your clients will get more than they wanted for less than you quoted (or you could keep the float).

I could go on for hours listing examples I’ve played with over the years, but some of my personal favourites are:

Zend Framework
http://framework.zend.com

The leading open-source PHP framework has a flexible architecture that lets you easily build modern web applications and web services.

Yahoo! User Interface Library (YUI)
http://developer.yahoo.com/yui/

a set of utilities and controls, written in JavaScript, for building richly interactive web applications using techniques such as DOM scripting, DHTML and AJAX. The YUI Library also includes several core CSS resources.

jQuery
http://jquery.com/

jQuery is a fast, concise, JavaScript Library that simplifies how you traverse HTML documents, handle events, perform animations, and add Ajax interactions to your web pages. jQuery is designed to change the way that you write JavaScript.

I realise there is a great deal more I could and should be listing here… and probably some much better?! Please leave a comment I’ve love to here your favorites… and I’ll try include them in future posts!