7

I am looking into making a correctly laid out MVC Auth/ACL system. I think I want the authentication of a user (and the session handling) to be separate from the ACL system. (I don't know why but this seems a good idea from the things I've read.)

What does MVC have to do with this question you ask? Because I wish for the application to be well integrated with my ACL. An example of a controller (CodeIgniter):

<?php
class forums extends MX_Controller
{
    $allowed = array('users', 'admin');
    $need_login = true;

        function __construct()
        {
        //example of checking if logged in.
            if($this->auth->logged_in() && $this->auth->is_admin())
        {
            echo "you're logged in!";
        }
    }
    public function add_topic()
    {
        if($this->auth->allowed('add_topic')
        {
            //some add topic things.
        }
        else
        {
            echo 'not allowed to add topic';
        }
    }
}
?>

My thoughts

$this->auth would be autoloaded in the system. I would like to check the $allowed array against the user currently (not) logged in and react accordingly.

Is this a good way of doing things? I haven't seen much literature on MVC integration and Auth. I want to make things as easy as possible.

Bill the Lizard
  • 8,408
  • 9
  • 41
  • 92
WiseStrawberry
  • 171
  • 1
  • 3

2 Answers2

4

My approach within Zend Framework has been to have a base class of SecureController which all controllers that require authentication must extend. In the SecureController I have a pre-dispatch authentication check for whether a user is logged in else forward to the login page.

After the login check is completed, I then carry out an authorization check whether the user can access the resource and action, the controller is usually tied to a single resource (but this behavior can be overridden) and the controller action can be mapped to a resource action.

With this in place, the only thing I need to do in each child controller is map the resource and action to what is being done without ever having to invoke the security checks again.

If I need specific ACL checks especially in view generation I can use the Zend_ACL instance that is tied to the user's session

Stephen Senkomago Musoke
  • 720
  • 4
  • 7
  • this was definitely a very popular answer when it was written, but if you're coming across this question in 2016, this stuff is mostly handled with middleware. – Andrew Brown Mar 25 '16 at 23:08
1

I tried to come-up with my own explanations, but i found a really comprehensive post in the middle of compiling my answer. Hopefully you will find more than you asked in this post - PHP ACL implementation

Edir: Basically, idea behind the post suggest to use use decorator pattern (look at Wiki for more info). In simple concept this pattern recommend to take your object, and place it inside another object, which will act like a protective shell. In this way, your code would not be required to extend the original class.

Community
  • 1
Yusubov
  • 21,328
  • 6
  • 45
  • 71
  • 2
    Whilst this may theoretically answer the question, [it would be preferable](http://meta.stackexchange.com/q/8259) to include the essential parts of the answer here, and provide the link for reference. – yannis Jul 09 '12 at 16:16
  • 1
    Essential idea is added, please enjoy the reading. – Yusubov Jul 10 '12 at 01:29