Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
SimpleAuth ACL and modules
  • Santiago Far SuauSantiago Far Suau
    I want to know how is the propper way to config SimpleAuth ACL when using modules, since this ACL has the form:
    <code>
    'roles' => array(
    'role' => array(
    'controller' => array('action1', 'action2', etc)
    )
    )
    </code>
    and seems 'module' can't be stablished. Also, is there a way to easily get the current module, controller, action and params from the current request?
    Thanks in advance
  • HarroHarro
    Request::active()->module;
    Request::active()->controller;
    Request::active()->action; The construction of the ACL is entirely up to you, I for one use functional roles, which are not linked to fysical pieces of code. You pass the data to check yourself, you have to think of how you are going to code module names into it. In FuelPHP, we commonly use the notation "module::controller", maybe you could use that?
  • Santiago Far SuauSantiago Far Suau
    Thanks WanWizard.
    Request::active()->controller has to be cleaned out a little, since gets the class name instead the matching uri segment. <quote>I for one use functional roles, which are not linked to fysical pieces of code</quote>
    Can you expand about this a bit more? ACLs are always a headache for me. Thanks again.
  • HarroHarro
    As the name says, it returns the controller name. Which is a class name. There is no direct mapping from the URI to a controller name. It might be the case if you're not routing and don't use folders or namespaces in your app, but there isn't in all other cases. FuelPHP allows you to map a URI like /this/that/theother/here to a controller called "theother" in the namespace "\This\That". Or use "\Controller\Name" (class Name in the namespace Controller) instead of class Controller_Name. If you want segments, use Request::active()->uri->segment() or Request::active()->uri->segments(). This question has been answered several times. When it comes to ACL's, you should not use the segment, as it is not unique. If you want a unique mapping, you need both the namespace and the class name mapped. Besides this, your ACL's are going to get very complex if you use this system, and your application grows both in terms of code and user groups or roles. Define your roles, map roles to functional names, and names to rights. Like in the example: 
    * Regular example with role "user" given create & read rights on "comments":
*   'user'  => array('comments' => array('create', 'read')),
    then you check in your code if the user has 'create' rights on the function 'comments'. It will make it very clear, both in the ACL definitions and in your code, what is meant by this.
  • Santiago Far SuauSantiago Far Suau
    Thanks WanWizard,
    the problem of using uri->segment is that you can't identify wich segment corresponds to what.
    Say you have this route: /content/blog/last, options are content is a module, blog the controller and last the action, or you can have a content controller, a blog action and a last as parameter. Similar problem (not tested) if you are using subfolders for placing the controllers. So, when trying to build the $condition to the acl::has_access method, using uri->segment/s is not suitable. Other issue is Uri::segments brings you the url as written in your browser. When using ACL (at least in the project I'm working on) I found rerouted uri is a more efective way to control user access. Thanks again for replying.
  • HarroHarro
    That's why I wrote that you should not rely on it. And you should not do that either on a controller name. What will happen if you protect or give access to your controller hardcoded, and I do this:
    class Controller_Blog2 extends Controller_Blog {}

    If I call this one, all of a sudden your ACL system doesn't work anymore, because your ACL's are handcoded on the controller name 'blog'. Now, if you follow my suggestion and go the functional route, you will check if the user has_access() to 'blog.read' (is allowed to read blogs). No matter what I do, the code is only executed if the user has that right. Also, a lot of people mis-use the before() method to add these checks. So then I do
    class Controller_Blog2
{
    public function action_index()
    {
        // this will bypass your has_access() check in the before() method
        $controller = new Controller_Blog($request, $response);
        return $controller->action_yours();
    }
}

    And again your access system is useless...
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion