Sunday, 24 April 2016

Simple Access Control for CakePHP3






by Sarang Nagmote



Category - Website Development
More Information & Updates Available at: http://vibranttechnologies.co.in




The newest version of CakePHP doesnt ship with built-in ACL, which means you need to write your own. Personally, I think this is a smart move, having looked at the one-size-fits-all solutions for previous versions of the framework and knowing that every system has different requirements, this version has good hooks and documentation on how to add something that works for your application. I thought Id share what worked for mine.
The application has about 50 users; its a small, back-office application. Users are in the users table and they can have one or more roles; the relationships between the two are in users_roles.

Do the Initial Setup

To begin with, I baked the models for the users and the roles. I introduced the linking table by adding the relationship into the ModelTableUsersTable::initialize() method. There are some great docs on doing this, but for this example I just needed:
$this->belongsToMany(Roles, [ foreignKey => user_id, targetForeignKey => role_id, joinTable => users_roles ]);
Then I went ahead and baked the controllers and templates. Since Ill be putting the names of the roles into my access control code, I disabled the ability to add and delete roles or change their names through the web interface. To keep those changes in step with the code that relates to them, well make these changes using a database patch. A minor point, but one that might be handy if youre using a similar approach to me.
This approach doesnt do anything special with authentication as it uses the standard approaches for logging people in (some good examples in the CakePHP tutorials). However authorization is what controls the access to individual controllers or actions, and this is where it gets interesting.

Build the Authorization Piece

To work out which roles have access to which controller actions, CakePHP will call the authorize() method of the class that I configure. This call includes the currently logged in user and the request object, so we can use these two pieces of information together and decide who can see what. When the user is logged in, Im storing their record with the roles hydrated into the object. This means that were not hitting the database on every web request to look up what roles the user has all the time (Id also like to use this same method at some point to work out if I should be displaying navigation to a given user, so it becomes potentially several database hits at that point rather than just one as it is in this example).
First, I configure the Auth component in the ControllerAppController::initalize() method by setting up something like this (you probably want the Flash component as well while youre there):
$this->loadComponent(Auth, [ authenticate => [ Form => [ fields => [ username => email, password => password ], ] ], loginAction => [ controller => Users, action => login ], authorize => [Example], unauthorizedRedirect => /users/login, ]);
With this in place, I have a login form where the user logs in with their email and password. Its important to set the loginAction when configuring the Auth component so that CakePHP knows that unauthenticated users should be able to see that page... its really hard to log in if you dont have access to the login form!
The authorize setting here means that CakePHP will call AuthExampleAuthorize::authorize() before allowing users access to anything. All we need our function to do is return true or false—in fact a good way to get started is to do the configuration, create the class, and get the method to return true. This lets you know that your configuration is correct and you can start working on the actual logic!
The documentation covers everything you could need but sometimes real code is easier to look at. Heres my actual auth class:
<?phpnamespace AppAuth;use CakeAuthBaseAuthorize;use CakeNetworkRequest;use AppModelEntityUser;class ExampleAuthorize extends BaseAuthorize{ public function authorize($user, Request $request) { $this->_user = $user; // assume false $authorized = false; // admins see everything, return immediately if ($this->userHasRole(admin)) { return true; } switch($request->params[controller]) { case Users: // check the action param to control for a specific controller action if ($request->params[action] == logout) { $authorized = true; // everyone can log out } break; case Money: // you need the finance role to see this entire controller/section if ($this->userHasRole(finance)) { return true; } default: // by default, all logged in users have access to everything if (!empty($user)) { $authorized = true; } break; } return $authorized; } protected function userHasRole($role) { if (isset($this->_user[roles]) && in_array($role, $this->_user[roles])) { return true; } return false; }}
There are a few things to look at here. For simple starters, look at the userHasRole helper method—this is just to let me quickly look up if this user has this role. By separating it out, the flow of the actual logic is a bit more readable—and, if we ever change how roles work, it only needs to change in one place!
The main method starts by assuming that the user does not have access, and by storing the user into a property (to be used by the helper method). If youre an admin, you always have access, so you can really quickly return true if thats the case. If not, then Ive tried to include examples of limiting access by whole controller and by specific action (everyone should be able to log out, if only to avoid error messages when someone tries to click on "log out" after their session has expired). In this system, we want most things to be accessible to everyone so thats the default; there are just a few specific instances where a particular role will be needed for specific sections. Notice the defensive approach. You dont have access unless the logic finds a reason to give it to you!

Going Further

This works well for my application, particularly because users can have multiple roles and the admins themselves can manage who has what. Since we have very simple requirements, the logic is just held in code; its easy to follow and understand, but it means that only the developers of the system can change what each role can access, and therefore as discussed, roles are managed by database patch so that the roles in the database will match the ones the code expects. A more complex system would probably need per-role, per-action permissions stored in the database to determine who has what. This would have the advantage of being maintainable without a code change, if thats important in your situation.
I also mentioned that Id like to use the permissions system to check if a navigation link should be displayed. CakePHP doesnt offer this by default but I think its something Id like to add to my own application over time.
Hopefully, this example serves as a basis for someone implementing ACL in CakePHP3, I found that there arent a lot of examples so heres at least one that we can refer to—I had a lot of great support from the #cakephp IRC channel on freenode as well, so thats a good place to go if you still have questions.

No comments:

Post a Comment