Added by Gavin, last edited by Gavin on Apr 10, 2007  (view change)

Labels

 
(None)

Access Control

For the purposes of this tutorial, issues about authorization permissions, access control, and restrictions are grouped under the terms "access control" and ACL (access control lists).

Where?

Each of the "locations" below present both an opportunity to perform authentication and use an authorization identity to determine access privileges and permissions. Authentication opportunities exist, if credentials were included with the request, while authorization opportunities exist if an authorization identity can be determined from the request and any associated session data.

  1. URL patterns, such as "/forum/admin_*/*"
  2. Module names, such as "/admim/post/edit"
  3. Controller names, such as "/forum/admin/topic/"
  4. Action names, such as "/forum/topics/admin/"
  5. Inside the business logic of an action controller

The correct choice depends on each application and the situation. For example, a particular action as simple as viewing a post might need to first load a model for "forum moderators" to determine if the user has sufficient privileges to view a particular post. However, no access should ever be given to unauthenticated users for administration areas of the website. In this case, blocking access to administration areas with a single block of code outside of the body of action controllers might reduce the risk of accidental bugs in action controllers resulting in related security leaks.

Anonymous Users

Authentication is sometimes used as a primitive type of authorization mechanism. In the ZFDemo this type of authorization is called "anonymous access". The configuration setting "allowAnonymousUse" in "modules.ini" controls whether or not anonymous users (with no authentication id) may access any particular module. In the ZFDemo, access to the default module is always given to anonymous users. This avoids problems with users lacking view permissions for error controllers that create pages like a "404 not found" page.

How?

In order to apply access control, the application must have some notion of authorization identity. The authentication identity must be mapped to this authorization identity before access control restrictions may be applied. In many applications the mapping is done by looking up the username and finding the primary key in the "user" table of the data store.

These steps are done inside "forum/init.php", since we are going to apply access control to controllers and actions. By preventing unauthorized users from having any access to these restricted controllers and actions, we are not dependent on the maintainers of these controllers and actions to prevent accidental execution of their code. This advantage also comes with a disadvantage, since the business logic in these restricted controllers and actions can no longer make the dynamic determination of whether or not to allow access to a particular user.

Next Section: 9. Filtering and Validating User Input

Comments  (Hide Comments)

Using ZF 1.0.3 I needed to do the following corrections to the files in section8_acl:

Set full read and write permission on folders:
section8_acl/data/
section8_acl/temporary/
section8_acl/temporary/sessions/

LOC: index.php
ERR: function name '_' not allowed by php
OLD: function _($msg)
NEW: search and replace all occurences of '_(' with '_x(' in all files in dir 'section8_acl/'!

LOC: index.php
ERR: local path doesn't work
OLD: //ZFDemoGrub('section8_acl', 'sandbox'); [comment out]
NEW: ZFDemoGrub('/Users/marcgrue/Sites/zfdemo/section8_acl/', 'sandbox'); [uncomment this line - use an absolute path]

LOC: index.php
ERR: php errors not showing for debugging (with my general php_ini settings)
NEW: ini_set('display_errors', true); [add this line before/after the line 'error_reporting(E_ALL|E_STRICT);']

LOC: section8_acl/bootstrap.php::stage1(), line 179
ERR: fatal error: Zend_View class declared twice
OLD: require 'Zend/View.php';
NEW: require_once 'Zend/View.php';

LOC: section8_acl/bootstrap.php::stage1() line 200
ERR: Going to 'Forums': wrong (empty) view object is rendered, so no topics are shown
NEW: $frontController->setParam('noViewRenderer', true); [add this line just before returning the $frontController]

LOC: section8_acl/bootstrap.php::stage2() ca line 354
ERR: '/index.php' added unnecessarily to baseurl
OLD: $baseUrl .= '/index.php';
NEW: $baseUrl .= '/';

LOC: section8_acl/default/controllers/IndexController.php::indexAction() line 29
ERR: '/index.php' added unnecessarily to baseurl
OLD: $this->view->baseUrl .= '/index.php';
NEW: //$this->view->baseUrl .= '/index.php'; [comment out]

LOC: section8_acl/forum/controllers/IndexController.php::redirectToTopics() line 125
ERR: link to forums is silently redirected back to 'home'
OLD: $this->setRedirectCode(303);
NEW: //$this->setRedirectCode(303); [uncomment]
ALTERNATIVE: add "/topics" to Forums link in zfdemo/index.php

LOC: section8_acl/forum/models/pdo/Topics.php::getPresentationModel() line 33
ERR: Zend_Date not loaded
NEW: require_once 'Zend/Date.php'; [add line]

LOC: section8_acl/forum/models/pdo/Posts.php::getPostsByTopicId() line 58
ERR: Zend_Date not loaded
NEW: require_once 'Zend/Date.php'; [add line]

sometimes the xpath function in line 96 of the _readFile function in Zend_Local_Data reads the data file
in a wrong way, so that a wrong path to an alias subnode is fetched. This causes:
"Fatal error: Method Zend_Date::__toString() must not throw an
exception in /Users/marcgrue/Sites/zfdemo/section8_acl/forum/views/scripts/topicsIndex.phtml on line 47"
By reloading the page a few times, the error disappears. I wonder how this happens? Is it some bug in
the xpath function? A dirty temporary solution to avoid the error is to comment out from line 166 to 193 in
Zend/Locale/Data.php - **NB** don't use this modified Zend library for other projects then!

LOC: Zend/Controller/Action.php function 'getViewScript' line 282
ERR: Exception: ERROR script 'admin-topicsIndex.phtml
OLD: $action = str_replace($this->_delimiters, '-', $action);
NEW: //$action = str_replace($this->_delimiters, '-', $action); [uncomment]
**NB**: dirty solution (don't normally modify Zend library files)!
The error is probabaly a consequence of $frontController->setParam('noViewRenderer', true); above

Hope this helps others to get this section of the tutorial going.

Posted by Marc Grue at Dec 30, 2007 15:38