Posts Tagged ‘access control’

Using Solar Access Control

Posted in Solar on June 22nd, 2009 by Jon – 1 Comment

Introduction

Solar has a simple-to-use, role-based access control library. It is nicely integrated into the user object so getting it working is really just a matter of adding a few lines to your config file. Here is a quick rundown of how to get it working using the file adapter. This means your access control list and roles are stored in simple text files.

Setup

Create a file called acl.txt in your config folder
Create a file called roles.txt in your config folder

In the acl.txt file, add the following lines:
allow handle juser * *
allow handle jdoe Vendor_App_Example add
allow handle + Vendor_App_News browse
deny role banned * *

The file format is like this: 0:flag 1:type 2:name 3:class 4:action 5:process
Although I don’t believe that process is currently used.

  1. Flag is either allow or deny
  2. Type is handle, role, or owner
  3. Name is the userid of the person (not used for type owner)
  4. Class is the name of the class you are adding access control to
  5. Action is the action of the access control (edit, add, delete, etc)

allow handle juser * *
means allow user juser access to all classes and all actions.

allow handle jdoe Vendor_App_Example add
means allow user jdoe to the add action in Vendor_App_Example

Wildcards * and + can be used too. For example, a + symbol in the name field means any logged in user.

Now add the following line to your roles.txt
banned:gijoe

The format is role:userone,usertwo,userthree

Now add a few lines to your config, assuming you already have the Solar_Auth config previously set up.

$config['Solar_Role']['adapter'] = 'Solar_Role_Adapter_File';
$config['Solar_Role_Adapter_File']['file'] = "$system/config/roles.txt";
 
$config['Solar_Access']['adapter'] = 'Solar_Access_Adapter_File';
$config['Solar_Access_Adapter_File']['file'] = "$system/config/acl.txt"

Checking Access

In a controller, just add this to one of your actions (for example, actionBrowse()):

if (Solar_Registry::get('user')->access->isAllowed(get_class($this), 'browse')) {
    // browse logic
}
else {
    // access denied logic
}

Or, better yet, follow the _preAction() method in Solar_Base.

protected function _preAction()
{
    $allow = Solar_Registry::get('user')->access->isAllowed(
        get_class($this),
        $this->_action
    );
 
    if (! $allow) {
        $this->errors[] = $this->locale('ERR_NOT_ALLOWED_ACCESS');
        $this->_action = 'error';
    }
}

Is Owner?

You can use the access control file to give object owners access to actions as well. If you want to use the isOwner() method, you will need to extend the Solar_Access_Adapter_File class and write your own isOwner() method.

Your acl.txt entry might look like this:

allow owner * Vendor_App_Example edit

This means allow the edit action to the owner of the object in question (like a record in from a database) within the Vendor_App_Example class.

You could extend the access adapter like this:

<?php
class Vendor_Access_Adapter_File extends Solar_Access_Adapter_File
{
    public function isOwner($content)
    {
        if ($content['owner'] == $content['user']) {
            return true;
        }
	return false;
    }	
}
?>

Then, to use this method, you can do the following:

$content = array(
			'owner'=>'juser', 
			'user'=>Solar_Registry::get('user')->auth->handle
		);
 
if (Solar_Registry::get('user')->access->isAllowed(get_class($this), 'edit', $content)) {
    // edit logic here
}
 
// or just do (assuming they made it this far)
if (Solar_Registry::get('user')->access->isOwner($content)) {
    // edit logic here
}

Well, that’s the basics.