7

I am looking into making a correctly laid out MVC Auth/ACL system. I think I want the authentication of a user (and the session handling) to be separate from the ACL system. (I don't know why but this seems a good idea from the things I've read.)

What does MVC have to do with this question you ask? Because I wish for the application to be well integrated with my ACL. An example of a controller (CodeIgniter):

<?php
class forums extends MX_Controller
{
 $allowed = array('users', 'admin');
 $need_login = true;
 function __construct()
 {
 //example of checking if logged in.
 if($this->auth->logged_in() && $this->auth->is_admin())
 {
 echo "you're logged in!";
 }
 }
 public function add_topic()
 {
 if($this->auth->allowed('add_topic')
 {
 //some add topic things.
 }
 else
 {
 echo 'not allowed to add topic';
 }
 }
}
?>

My thoughts

$this->auth would be autoloaded in the system. I would like to check the $allowed array against the user currently (not) logged in and react accordingly.

Is this a good way of doing things? I haven't seen much literature on MVC integration and Auth. I want to make things as easy as possible.

Bill the Lizard
8,4089 gold badges44 silver badges92 bronze badges
asked Jul 9, 2012 at 15:21

2 Answers 2

4

My approach within Zend Framework has been to have a base class of SecureController which all controllers that require authentication must extend. In the SecureController I have a pre-dispatch authentication check for whether a user is logged in else forward to the login page.

After the login check is completed, I then carry out an authorization check whether the user can access the resource and action, the controller is usually tied to a single resource (but this behavior can be overridden) and the controller action can be mapped to a resource action.

With this in place, the only thing I need to do in each child controller is map the resource and action to what is being done without ever having to invoke the security checks again.

If I need specific ACL checks especially in view generation I can use the Zend_ACL instance that is tied to the user's session

answered Oct 14, 2012 at 18:24
1
  • this was definitely a very popular answer when it was written, but if you're coming across this question in 2016, this stuff is mostly handled with middleware. Commented Mar 25, 2016 at 23:08
1

I tried to come-up with my own explanations, but i found a really comprehensive post in the middle of compiling my answer. Hopefully you will find more than you asked in this post - PHP ACL implementation

Edir: Basically, idea behind the post suggest to use use decorator pattern (look at Wiki for more info). In simple concept this pattern recommend to take your object, and place it inside another object, which will act like a protective shell. In this way, your code would not be required to extend the original class.

answered Jul 9, 2012 at 15:34
2
  • 2
    Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference. Commented Jul 9, 2012 at 16:16
  • 1
    Essential idea is added, please enjoy the reading. Commented Jul 10, 2012 at 1:29

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.