Demonic Posted April 29, 2009 Share Posted April 29, 2009 History of project: Alright, I'm building a simple cms with code igniter (because code igniter has a lot of features that is already created, especially the form validation functions which speeds up some code) So I got a basic user system, users can login, register logout. Then a basic permission system which allows users to login to the admin page, using the regular login form with "admin" at the end of the url segment. Coded so it knows what type of login its dong. So right, I'm building a basic module system where you upload module files to the correct folder: /system/application/modules/ What I got: What I have right now are 2 built in modules, group management and module management (install/uninstall modules) Well right now theres only one permission per module. Which allows you to access that whole module as long as you have access to it. Heres the question: Would you recommend me to have permissions for each module page? (Ex. User module:: edit users, add users, ban users, etc..) More History/Overview: My module is basic right now. There is a db table which shows all installed modules. Then when accessing a module it checks default installed modules first. Then checks to see if the module we're accessing is installed, then we include the class (require_once), initialize it. Heres another question: How would I set it up so it will automatically check if each module "action" we try to access has permissions? Would it be best to create a abstract class, module extends this class, which we use to access each action (called: load_action), then do multiple checks seeing if the function exists, then checking if the action has a permission in the groups table, if it does not just run the function anyway? pseudo if module exists include module file initiate class if module action has permissions and we have permissions OR action has no permissions load module action if there is one (domain.com/admin/module/module_name/action) else tell them they dont have permissions else tell them this module does not exists. Your thoughts? Quote Link to comment Share on other sites More sharing options...
ionik Posted April 30, 2009 Share Posted April 30, 2009 This is a basic principle for a ACL system, setup a simple resource system and you say you already have group management. Does this refer to roles (user groups)? If so you are already 35% of the way there now you only need to create resources (permissions) and the ACL ( ties the roles to the resources ). This is a very simple way of doing it and could be done to a minimum of 3 classes (2 if you already have the Roles setup). And to answer the question of how you would do this. Once you have created the ACL system depending on how you call the object, for this example it will be static if (Foo_Acl::isAllowed('janes_role', 'module_edit')) { // jane goes on her mary way } else { // jane gets a access denied message } A quick breakdown of the class structure and methods needed as an example. Foo_Resource ------------------------------ $_resources :: Array of all the resources which contains the name and its allowed/denied roles, store them in a database and parse them out to this variable for access. __construct() :: This can build the $_resource array getAllowedRoles($resource) :: Use this to parse out the roles allowed to access this resources ( stored in te $_resources array ) Foo_Acl ------------------------------ $_roles = array|object :: This can store your roles (either a array of roles or object depending on how your system works) $_resources = object :: This will be your resource object isAllowed($role, $resource) :: Check if a role is allowed to access a resource This will perform something like this $_resources->getAllowedRoles($resource); Then check the array or string whichever it returns of the roles allowed. I have attached a resource system that I built for the same purpose its quite a bit more advanced but a good start Also try checking out how Zend_Framework does it [attachment deleted by admin] Quote Link to comment Share on other sites More sharing options...
Demonic Posted April 30, 2009 Author Share Posted April 30, 2009 Well before I've read your post, I've constructed something like I had at the end of my previous post. Since I'm using a framework, I've created a CI Library which is called "Permissions". My permissions library has a function like yours which checks if user has role, but my module system is a bit different. Since most of the module stuff is mainly for the ACP, the permission system is actually used just about throughout the acp and not the website. Since the website will have it's own functions, mainly readibility and commenting on news, things like that. (Users wont really need to many permissions, since all the main CORE website management will be ALL located in the acp using a module of some sort) Anyways, I have a built in module and permission column which allows me to install modules. (How does this really tie into what I did? Continue) So when I install a module. It's built like the following: class module_modulename - var instance - used to get code igniters instance so we can use their built in classes, modules will act like controllers in a way - var install - an array variable used to install permissions for each action, actions are sub pages to each module, if we don't assign a action to this variable, it will declare that..that action in perticular will not have any access permissions, any admin can freely access that page. Each function besides "_default" that starts with a "_" is a private function, everything else is a action. So..when you install that module it will add columns in the groups table then you must enable permissions to that group to access them pages. By default there are only 2 modules in acp, "groups" and "manage_modules", used to manage the user groups and modules. What I'm trying to do is make it very light weight: 1. User login 2. User register 3. User logout 4. User forgot password 4. Admin Login 6. Admin Module System - Manage groups, add/edit/delete groups, admin group has default permissions that can't be changed - install/uninstall modules - which creates permissions for the module on its own to be accessed or not and what not. Allowing me to fork the system and be able to create basic sites that require a user system (admin backend) with minimum features. I'll post the code when I'm finished. (Today to show in detail how I did it) and its not bad, because you can install sql on installation with the built in "_install" and "_uninstall" functions that does exactly what it says. Run then functions when installing or uninstall modules. In short, I think I've created everything I needed to create every other project. In 2-3 days with just code igniter. Quote Link to comment Share on other sites More sharing options...
Demonic Posted April 30, 2009 Author Share Posted April 30, 2009 Since I can't edit my post forgot to mention my db table is something like: CREATE TABLE `groups` ( id INT NOT NULL AUTO_INCREMENT, PRIMARY KEY(id), group_name VARCHAR(255), main_admin_groups INT(11), main_admin_modules INT(11), main_admin_access INT(11), ); After I create my modules, it adds another field named after each action. main_module_modulename_action Then it loads the users permissions to see if they have access to that action, it also checks if that action exists, it none exists anyone can access. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.