SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    SitePoint Evangelist
    Join Date
    Feb 2000
    Location
    England
    Posts
    568
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Zend Framework MVC + User Auth

    Hi,

    Am new to frameworks, trying to make a sample app using Zend Framework. I have a lot of the MVC stuff setup nicely with a few different controllers.

    What I am trying to work out as a next step is getting user auth. What I am unsure about is where this should happen, should it happen in the bootstrap index.php file or should each method in the controllers being calling a user auth class.

    Perhaps someone can point me in the right direction on how to handle this based on the user of the Zend Framework MVC setup.

    Thanks!

  2. #2
    I ♥ PHP
    Join Date
    Jul 2003
    Location
    Melbourne, Australia
    Posts
    579
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I am interested in the response to this as well, but in a more general MVC environment. Having not used the Zend framework, I apologise if the two issues are not related and kindly ask you all to ignore this post.

    Regards,
    Jordan

  3. #3
    SitePoint Zealot
    Join Date
    Jul 2005
    Posts
    163
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    While I don't know if I do it the right way, I can at least share how I handle it. For permissions its broken into two parts, authentication, which is verifying the user is who they claim to be. And authorization, which is checking to make sure they are allowed to access what they are requesting. I do both of those each as an intercepting filter in my front controller. Before the request is passed to the dispatcher, its passed through the filter chain. If the user's credentials fails at either the authentication or authorization stage, the request is rewritten to a login page for example. That way all requests are covered by the intercepting filters.

  4. #4
    SitePoint Evangelist
    Join Date
    Mar 2005
    Posts
    421
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I've often pondered about the whole decorator / filterchain approach.

    It seems in your example you have a strict allowed / disallowed set-up. How do you manage people viewing sections of an application, for instance where anyone can create an article (domain.com/article/new) vs admin-only editing other peoples articles (domain.com/article/34/edit)?

  5. #5
    SitePoint Zealot
    Join Date
    Jul 2005
    Posts
    163
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm using that setup in an administrative area for an organization, and its where the authorization comes into play. For the most part the organization I am making the system for decided that if a staff member had access to a section they would have it without limits. Using your article example. You'd probably have, add article, delete article, and edit article. So first the staff member would have to log into the administration area. This is filter 1, authentication. The system verifies they are a valid staff member. Now they click on the edit article link to go to that section. Again their authentication is checked (for security purposes), and also authorization is run. I have a table setup in the database that manages their permissions. If they have been given permission the authorization filter lets the request pass. If not, it changes the location to an access denied page within the admin. Once through that though based on the organizations policies that member would be able to view/edit any article that is listed for them.

    This may not be viable for your situation if you don't have some kind of control over the staff that uses it. However it could be easily modified to allow the kind of access your talking about. It would just be a finer grain control than what I have done.

    Like for example in the permissions instead of just having allow/deny, you can have like view/edit/delete for each one. If they have the view permission set for the edit page, then they have access and can view it. If they try to submit changes and they don't have the edit permission set, it should just return an error. Hopefully that helps to illustrate how you may be able to expand it into a finer grain control.

  6. #6
    Non-Member
    Join Date
    Jan 2003
    Posts
    5,748
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I would suggest that you manage Authentication on the global scale where possible, the higher the layer the better in my view, most definitely before you dispatch though. As for Authorisation, I do that on a per request level.

    Take your example of User A being able to edit an article, but User B - being an administrator, for example - can edit all articles; Usually given that User 'X' can create an article, they would be the author of that article, so other editors couldn't edit that said article, unless of course (my terminology) that is, User 'X' made that article public, is how the approach I take.

    The default is private of course - you wish to give the least amount of access to anyone. I manage this via one, or more Decorators if it's of interest?

  7. #7
    SitePoint Evangelist
    Join Date
    Mar 2005
    Posts
    421
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you both for your replies. I've been mulling over developing a lightweight RBAC subsystem lately, with the aim of it being 'pluggable' into any framework. I've thought of a little plan where all a model needs to implement is an observable interface to use the subsystem, so for instance, if a user goes to edit an article, the model would call something like this->notifyAction() which would then start a process of checking whether the user has the role and level required to perform such an operation, with a redirection if not. Link rendering would be done in a view helper with a simple canView() method on the model, so it's more secure from both aspects: action authorisation and action display. The whole view /edit / delete is exactly along the lines of what i've been thinking.

    Alternatively, if the zend framework comes with a Zend_RBAC module, i'd be on the computer a lot less

  8. #8
    Non-Member
    Join Date
    Jan 2003
    Posts
    5,748
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Umm....

    The lastest build of the Zend Framework offers in one form or another, what you are looking for [0-7-0] though it's still in the incubator, and I've not had the time to look at it at this point, but if you've not got the latest... Maybe you could gleam something from what is there?

  9. #9
    SitePoint Addict
    Join Date
    Jan 2005
    Location
    United Kingdom
    Posts
    208
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by EscapeYourMind View Post
    While I don't know if I do it the right way, I can at least share how I handle it. For permissions its broken into two parts, authentication, which is verifying the user is who they claim to be. And authorization, which is checking to make sure they are allowed to access what they are requesting. I do both of those each as an intercepting filter in my front controller. Before the request is passed to the dispatcher, its passed through the filter chain. If the user's credentials fails at either the authentication or authorization stage, the request is rewritten to a login page for example. That way all requests are covered by the intercepting filters.
    How does your code know when a request doesn't need any authentication or authorisation? I use a filter chain approach however it is obtained by the front controller from the page controller, which knows about it's own authentication requirements.
    PHP Code:
    $pc = new FooPageController();
    $auth $pc->getAuthHandle(); // Grab an object for auth, if there is one
    if( $auth instanceof IAccess )
    {
      
    $auth->execute(); // Start the filter chain
    }
    $pc->execute(); // Start the page controller 
    I'd like to have everything done in the Front Controller, perhaps theres some better approach?

  10. #10
    SitePoint Zealot
    Join Date
    Jul 2005
    Posts
    163
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, for mine since its an administration area just about every page needs authentication and authorization. The only exceptions to that are the login pages, and logout pages. For those I built in an 'exceptions' part in the filters so that if the request is for something like /login/ it will just pass the request through. And the exceptions can be either the controller part (ie. /login/) or a controller and action (ie. /login/verifyuser/).


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •