Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
ACL
  • Hi everyone,
    I need to do a screen to manage permissions. Someone knows some toturial to help me. Is there any way to read existing modules to view and configure access to it?

    Thanks
  • Harro VertonHarro Verton
    Accepted Answer
    Afaik there is no open source code available for a frontend for OrmAuth, which is the standard way of defining ACL's.
  • Thanks you for your answer Harro.
  • Is the users_role_permissions table used by the Auth library?

    I am creating a
    screen where it will be possible to select which actions a group can
    execute, but I do not know if it is possible to save this type of
    configuration in the existing tables of the Auth library.
    If it is possible, could you explain it to me?

    Thank you
  • Harro VertonHarro Verton
    Accepted Answer
    Yes, all permissions tables are used by the Auth library. The OrmAcl class will compile the users effective rights using all of them (so direct assigned permissions plus group and role assigned permissions).

    The way permissions work is documented here: http://fuelphp.com/docs/packages/auth/ormauth/intro.html#/acl. It also shows you how permissions are stored. Here you can see how the permissions are determined: https://github.com/fuel/auth/blob/1.9/develop/classes/auth/acl/ormacl.php#L109

  • When i create a new group, should i create a new row in users_group_roles ?

  • Harro VertonHarro Verton
    Accepted Answer
    Check the definitions of the models in the Auth package.

    There are a lot of relations defined by the models. The first link to the docs in my previous post lists them all. There is a many-many relationship between Group and Roles, which is defined using the through table "user_group_roles". It allows you to assign roles to a group of users, instead of to a user directly.

    You use standard model commands, for example to assign users to a group, and a group to a role:

    // get a "random" user, a group and a role
    $user = \Auth\Model_User::find(1);
    $group = \Auth\Model_Group::find(1);
    $role = \Auth\Model_Role::find(1);

    // make the user part of the group
    $group->users[] = $user;

    // assign the role to the group
    $group->roles[] = $role;

    // update the group
    $group->save();

    So there is no need for manual table updates, everything is done through normal ORM calls.
  • Harro VertonHarro Verton
    Accepted Answer
    To add to the above:

    Permissions are also assigned via ORM relations. So for example you could have a permission record for "app.forum", with actions "read", "post", "edit", "moderate", "delete", "move", "merge", etc...

    You can simply assign a permission using:

    // get a "random" user and permission
    $user = \Auth\Model_User::find(1);
    $permission = \Auth\Model_Permission::find(1);

    // assign the permission to the user
    $user->permissions[] = $permission;

    // and save it
    $user->save();

    This will allow you to use \Auth::has_access('app.forum') in your code, which will now return True for this user (assuming this permission record has id #1).

    If you want to limit access to a subset of actions, say only "read" and "post", you do:

    // get the user permission record
    $userpermission = \Auth\Model_Userpermission::query()
        ->where('user_id', '=', $user->id)
        ->where('perms_id', '=', $permission->id)
        ->get_one();

    // define the permissions we want to assign
    $wanted = array('read', 'post');

    // assign them
    $userpermission->actions = array_keys(array_intersect($permssion->actions, $wanted));

    // update the record
    $userpermission->save();

    Now you can check if the user has add rights using \Auth::has_access('app.forum[add]'), or add and post rights using \Auth::has_access('app.forum[add,post]').
  • Thanks Harro, your tips helped me a lot.
  • Hello Harro,
    I create a permission with read, create, edit and delete.

    I've created a user perm
    $userpermission = \Auth\Model_Userpermission::query()
        ->where('user_id', '=', $user->id)
        ->where('perms_id', '=', $permission->id)
        ->get_one();

    $wanted = array('read', 'create');

    $userpermission->actions = array_keys(array_intersect($permssion->actions, $wanted));

    $userpermission->save();

    But \Auth::has_access('app.forum[add,post]') always return false. I already deleted the auth cache, but it continues to return false.



  • Harro VertonHarro Verton
    Accepted Answer
    Isn't that logical, as there is no "add" or "post" permission? And of the 4 possible actions, only "read" and "create" are set on this user permission.

    So "app.forum", "app.forum.read", "app.forum.create" and "app.forum[read,create]" should return true, all others should return false.

    And yes, you do have to flush the auth cache, at least for this user, when you change the permissions.
  • My mistake, i dont have post action.

    I have Admin as Area and Group as permissions and read, create, edit and delete actions.

    I have created a user with read/create perm, then in my controller i'm calling \ Auth :: has_access ('admin.group [read]'), but it is returning false.
    I also tried \ Auth :: has_access ('admin.group [read,create]'), but result was the same.
  • Harro VertonHarro Verton
    Accepted Answer
    Are you on the latest 1.8? Did you run a composer update to be sure?

    And there should not be a space between "group" and the "[", perhaps that is the problem?
  • Harro VertonHarro Verton
    Accepted Answer
    And what does \Auth::has_access("admin.group") return, so without the action checks?
  • With \Auth::has_access("admin.group") works fine.
    I'm on latest version

    I'm using in this way, but with action check \Auth::has_access return false

    if (\Auth::has_access('admin.group[read]')) {
        echo "Allowed access";
    }
  • Harro VertonHarro Verton
    Accepted Answer
    Can you post the contents of the action colomn from both the permission record and the relation record (in serialized form), so I can have a look at it?
  • Harro VertonHarro Verton
    Accepted Answer
    It should be:

    Permission: a:4:{i:0;s:4:"read";i:1;s:6:"create";i:2;s:4:"edit";i:3;s:6:"delete";}
    Relation: a:2:{i:0;i:0;i:1;i:1;}

    given your previous input.
  • I took this part of the code in ormacl file, I took this part of the code in oracle file, and I noticed an array_flip command.
    I removed the array_flip, and \Auth::has_access('admin.group[read]') worked fine.

    My serialized relations with array_flip a:3:{i:0;a:1:{s:5:"admin";a:1:{s:5:"group";a:0:{}}}i:1;a:0:{}i:2;N;} .
    Without array_flip a:3:{i:0;a:1:{s:5:"admin";a:1:{s:5:"group";a:2:{i:0;s:4:"read";i:1;s:6:"create";}}}i:1;a:0:{}i:2;N;}, read and create actions are allowed.

    // Group check code
    $current_rights[$permission->area][$permission->permission] = array_merge(
    $current_rights[$permission->area][$permission->permission],
    array_intersect_key(
    $permission->actions ?: array(),
    array_flip($grouppermission->actions ?: array())
    )
    );
  • This is my actions in users_permitions   a:4:{i:0;s:4:"read";i:1;s:6:"create";i:2;s:4:"edit";i:3;s:6:"delete";}
  • Harro VertonHarro Verton
    Accepted Answer
    and what is the contents of the actions column in users_user_permissions? Or users_group_permissions if your premissions are assigned to a group instead of a user?

    If you have to remove array_flip(), to get it to work, it suggests that value is wrong.
  • In my users_group_permissions have this values: 

    # id, group_id, perms_id, actions
    1, 5, 1, a:2:{i:0;s:4:"read";i:1;s:6:"create";}


  • Harro VertonHarro Verton
    Accepted Answer
    that is not correct, that should be an indexed array of key values.

    [wanwizard@catwoman] $ php -a
    Interactive shell

    php > $permission = array('read', 'create', 'edit', 'delete');
    php > $wanted = array('read', 'create');
    php > $actions = array_keys(array_intersect($permission, $wanted));
    php > var_dump($actions, serialize($actions));
    php shell code:1:
    array(2) {
      [0] =>
      int(0)
      [1] =>
      int(1)
    }
    php shell code:1:
    string(22) "a:2:{i:0;i:0;i:1;i:1;}"

    So you went wrong somewhere...
  • Hello Harro,
    You are absolutely right, I made a mistake when saving group permissions,
    I was storing in this way $ permission = array ('read', 'create', 'edit', 'delete').
    Thanks for your help, everything is working very well,

    cheers
  • Harro VertonHarro Verton
    Accepted Answer
    Cool, thanks for the feedback.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion