How should I be implementing my ACL in a web application? [closed]
Asked Answered
L

4

8

I've been thinking about the web app I'm about to begin developing and wondering whether my usual approach could be improved.

In my last few apps I've created a table (see below) of roles (such as CREATE POST, EDIT POST etc.) which each have a bitfield applied to them so I can simply assign a user certain rights in registration and check them later on (e.g. $user->hasRight(CREATE_POST)).

I'm wondering if there's a better approach to this. It's certainly confusing when the rights aren't specifically linked to the user (I could have a table where each right is a boolean column but that only sounds like a small improvement) - and what happens if I change some around?

I'm not looking to use standard libraries (the app itself is a learning experience for me: using postgresql, git etc.) although I'm perfectly happy to take inspiration from them to construct my own - so if there's something special you think I should take a look at please say so :)

Landeros answered 13/2, 2009 at 16:34 Comment(1)
Additionally: it will be for a PHP application but if there's a great practice done in say, Ruby on Rails, I'm sure I can figure it out :)Landeros
W
4

That's basically the same approach I take in my own web apps (and a bit of trial and error has gone into that for me). The only difference is, I'd probably use a table which has the different permissions as columns, so that if you want to add more permissions later on, you can. Using bits in an integer limits you to a fixed number of permissions, namely as many bits as there are in the integer. Typically that would be 32 which I suppose is probably enough, but I prefer not to limit myself that way.

For what it's worth, that's also the model that phpBB uses (permissions as table columns), and if it's good enough for arguably the most popular PHP web app, it's probably good enough for you ;-)

Web answered 13/2, 2009 at 16:44 Comment(1)
I like the idea of using table for ACL. U think you can advice me on how to design this the correct way to achieve ACL. So I have table Project that has a one-to-many relationship with Drawing, and a table USER. Let say that we have projects A and B, which has many drawings in it. How can I design so that, I can allow 1 user to view only A, one user to view only B, and 1 user can view both.Resigned
F
5

You could take a look at the documentation of Spring Security (formerly Acegi), which is a widely used Java ACL framework.

The documentation is exhaustive and also describes the various considerations made in the design of bot authentication and authorization. Even without using Java it is worthy reading.

You can view the index page to get an overview and an impression of what Acegi does (and does not) do. You can also skip right to the authorization concepts or even to the database schema.

Flog answered 13/2, 2009 at 17:22 Comment(1)
The site layout for Spring Security has changed so here's the list of links updated: index page, ACL concepts and schemaCoom
W
4

That's basically the same approach I take in my own web apps (and a bit of trial and error has gone into that for me). The only difference is, I'd probably use a table which has the different permissions as columns, so that if you want to add more permissions later on, you can. Using bits in an integer limits you to a fixed number of permissions, namely as many bits as there are in the integer. Typically that would be 32 which I suppose is probably enough, but I prefer not to limit myself that way.

For what it's worth, that's also the model that phpBB uses (permissions as table columns), and if it's good enough for arguably the most popular PHP web app, it's probably good enough for you ;-)

Web answered 13/2, 2009 at 16:44 Comment(1)
I like the idea of using table for ACL. U think you can advice me on how to design this the correct way to achieve ACL. So I have table Project that has a one-to-many relationship with Drawing, and a table USER. Let say that we have projects A and B, which has many drawings in it. How can I design so that, I can allow 1 user to view only A, one user to view only B, and 1 user can view both.Resigned
M
1

I'm sure you've found phpgacl already, but here's a link in case you haven't. It can be a little rough to wrap your head around at first, and certainly the library is tricky (time consuming) to implement into a project, but the documentation and demo are EXCELLENT reference points.

PHP Generic Access Control Lists

Membranophone answered 13/2, 2009 at 16:47 Comment(1)
I hadn't but it certainly looks interesting.Landeros
B
1

ACL approaches in web applications, in general, have been discussed, for example here.

Boehike answered 19/6, 2009 at 19:29 Comment(1)
Please avoid link only answers. If link breaks then answer become unusable.Varhol

© 2022 - 2024 — McMap. All rights reserved.