Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
OrmAuth database structure
  • ptlptl
    Hi. I found column, named "user_id" in the users_groups table. Could you explain, what I should place there on adding a new group?
  • HarroHarro
    Accepted Answer
    You shouldn't. The ORM models will take care of that.

    It's a remainder of our application framework (which is the basis of Ormauth), and which stores the user_id of the user that created or last updated the record.

    You can safely ignore it if you are not interested in that feature.
  • ptlptl
    Where can I find the howto for creating custom permissions?
  • HarroHarro
    What do you mean by "custom permissions"?
  • ptlptl
    For example:
     1) access for group# 4 to whole controller "orders"
     2) access for group #5 to actions "index" and "import"  of "orders" controller only
    What should I put to users_permissions table?
    Maybe there is some easy way to manage permissions?
  • HarroHarro
    Accepted Answer
    There is only one permissions table, 'users_permissions' (by default).

    It contains an area, permission and a possible array of actions, which together define the permission. For example: area=finance, permission=invoice, action=array('create', 'update', 'delete', 'print', 'email')

    We use it like this, where area is a business function in the application, permission is a task within that function, and action the possible actions that can be performed in a task. But you can also use it to store module and controller, or controller and action. It's entirely up to you, they are just columns.

    You can then check Auth::has_access('finance.invoice[create,update]') in your controller, to see if the current user has the required permission. If the current user had the permission in the example above, the result would be true.

    There is a many-to-many relation between Group and Permission, using the users_group_permissions. The Auth package provides an ORM model for all entities used by Ormauth (User, Group, Role, Permission), so you use standard Orm model methods to fetch a Group object, create a permission object, and relate the two. Once related you have assigned the permission to the group.
  • ptlptl
    Thanks
  • ptlptl
    Hi. Now I have another problem.
    I created user, group and permission for group using Active record.
    But method Auth::has_access('product.size') allways returns false.
    Here is dump of Auth\Model\Auth_Permission object
    protected '_data' =>
    array (size=8)
    'area' => string 'product.size' (length=12)
    'permission' => string 'A' (length=1)
    'description' => string 'controller.action access' (length=24)
    'actions' =>
    array (size=0)
    empty
    'user_id' => string '2' (length=1)
    'created_at' => string '1381780797' (length=10)
    'updated_at' => string '0' (length=1)
    'id' => string '1' (length=1)
    Can you tell what is wrong with this permission?
  • HarroHarro
    Accepted Answer
    You can't have a dot in the area.

    has_access() will split that into area="product", permission="size", causing this not to match.
  • ptlptl
    Great thanks! Now it works. But I can't to flush cache after permission's change.

    I am using those methods after $group->save(); call:

    \Cache::delete(\Config::get('ormauth.cache_prefix', 'auth') . '.permissions');
    \Cache::delete(\Config::get('ormauth.cache_prefix', 'auth') . '.groups');
    \Cache::delete(\Config::get('ormauth.cache_prefix', 'auth') . '.roles');

    /config/ormauth.php:
    ...
    'cache_prefix' => 'auth', 

    What else I should delete to flush group permissions?

  • ptlptl
    And one more thing
    I receive exception when I trying to add group to permission:
    $permission->groups[] = $group;
    $permission->save();

    Fuel\Core\Database_Exception [ 42000 ]: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '), '4')' at line 1 with query: "INSERT INTO `users_group_permissions` (`actions`, `group_id`) VALUES ((), '4')"
    How can I fix this issue?
  • ptlptl
    I also tried to remove all permissions of current group:
    $group = Auth\Model\Auth_Group::find($groupId);
    $group->grouppermission = array();
    $group->save();

    Relations still exists in database. What is the problem?
  • HarroHarro
    You only need to flush groups if you changed a group (added/modified/deleted), not if you only changed permissions. Same for roles.

    If you delete a group or a role, you should flush the permissions, as effective rights may have changed. And after a permission change offcourse.


  • HarroHarro
    The relation between group-permission and role-permission isn't a standard many-many, that relation is only provided for quick lookups, but should be used read-only.

    You add permissions using grouppermission and rolepermission, so the action field can be set properly.
  • HarroHarro
    Does this work?

    $group = Auth\Model\Auth_Group::find($groupId);
    unset($group->grouppermission);
    $group->save();
  • ptlptl
    The only problem that I can't to fix now is caching permissions.
    When I comment out try-catch block in has_access() method of Auth_Acl_Ormacl class - permissions always are actual, but every page generates 7 queries. How to flush permission's cache for all logged in users?

    FuelPHP disapoints me more and more... :(
  • HarroHarro
    Don't blame the framework for not understanding something or for doing something wrong. ;)

    You only need to flush permissions if you update something, which I assume you would do in an admin interface.

    You flush permissions for a single user when you change the permissions for that user. You flush all permissions when you make permission changes for groups or roles. You flush the group or role cache when you make changes (add/edit/delete) to groups or roles.

    Standard data caching techniques.
  • HarroHarro
    You flush the cache of a single user like so:

    // flush the cached permissions, they might have been changed
    \Cache::delete(\Config::get('ormauth.cache_prefix', 'admin').'.permissions.user_'.$user->id);

    You flush all permissions like so:

    // flush the cached permissions, they might have been changed
    \Cache::delete_all(\Config::get('ormauth.cache_prefix', 'admin').'.permissions');

    You flush the group and role cache like so:

    // flush the group and role cache
    \Cache::delete(\Config::get('ormauth.cache_prefix', 'admin').'.groups');
    \Cache::delete(\Config::get('ormauth.cache_prefix', 'admin').'.roles');

  • ptlptl
    Look...

    $group->permissions = array();
    $group->save();
    \Cache::delete(\Config::get('ormauth.cache_prefix', 'auth') . '.permissions');
    \Cache::delete(\Config::get('ormauth.cache_prefix', 'auth') . '.groups');
    \Cache::delete(\Config::get('ormauth.cache_prefix', 'auth') . '.roles');

    After execution of this code database entries are gone away but users of this group still have access, even after relogin. Now tell me, what I don't understand or what I'm doing wrong?
  • HarroHarro
    Accepted Answer
    Ah, wait. 'permissions' is a folder name, containing the cache files per user. Could be you need to do:

    \Cache::delete_all(\Config::get('ormauth.cache_prefix', 'auth') . '.permissions');
  • HarroHarro
    Accepted Answer
    Just verified here, it should indeed be delete_all(). Sorry for the confusion.

    I'm now going to kick one of my employees, because I stole those lines from his code... ;-)
  • ptlptl
    Thank you very much!
    Sorry, for my aggression.
    You should fix this mistake in documentation:
    http://fuelphp.com/docs/packages/auth/ormauth/intro.html#/caching
  • HarroHarro
    Done.
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion