Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
OrmAuth
  • How can groups and permissions be created?

    Thanks
  • by inserting them in the table?

    It's ORM driven, so something like:

    $group = \Model\Auth_Group::forge(array('name' => 'New group'));
    $group->save();

    There is no ready-made frontend if that is what you're looking for. Frontends are very application specific, and not part of the framework.
  • Oh yes, are permissions assign the same way?

    And can you help with the the tables?

    1. users_groups: why there is a user_id column?
    2. users_permissions: can you please provide me the example of table row? the same question about user_id column?
    3. users_roles: the same questions as for users_permissions and the meaning of filter column?

    Sorry if I asked the stupid questions ) Just want to understand how the ormauth works
  • And another one question, how can I get a list with all users + metadata?

    $users = \Model\Auth_User::query()->related('metadata')->get();

    how to get metadata via eav?
  • The user_id column in the tables record the id of the user that last changed the record. This is added for audit purposes, together with the updated_at column you know who changed what when...

    For User_Permissions:

    $permission = \Model\Auth_Permission::forge(array(
        'area' => 'modulename',
        'permission' => 'controllername',
        'description' => 'Access to modulename\controllername',
        'actions' => array('list', 'add', 'edit', 'delete', 'modify'),
    ));
    $permission->save();

    When assigning this permission to a user, a group, or a role, you can have the administrator select the appropriate actions, which are then stored in the user_user_permissions, user_group_permissions, or user_role_permissions tables, which contain the effective assigned rights.

    For example a role could have the 'list' right (i.e. show an index page with a table), but not the other actions.

    In the application you can then check:

    if ( ! \Auth::has_access('modulename.controllername[list,delete]'))
    {
        // this user does not have the rights to the 'list' and 'delete' actions of the modulename.controllername permission
    }

    And that query will get you all users with all metadata. You can access it like any other has_many relation:

    foreach($users as $user)
    {
        var_dump($user->metadata); // dumps all metadata records
    }
  • Lets imagine we have 2 users with 'name' and 'phone' metadata

    foreach($users as $user){
    var_dump($user->metadata);
    // how can I retrieve the fields? 
    // I have $user->metadata[1]->key = name
    // and $user->metadata[1]->value = John
    // and $user->metadata[2]->key = phone
    // and $user->metadata[2]->value = 564-8990
    // maybe it can be done something like $user->metadata['name']->value?
    }

    I see how eav works if I select one record, but how can I access to the key=>value if I select several records? May be I didn't understand it right?
  • // gives you John
    echo $user->name;

    // gives you 564-8990
    echo $user->phone;

    So the key value of the EAV pair will become the property name. To access the EAV attributes you don't need the metadata relation, it's only needed of you want to retrieve all keys at one. Because it's a property on an object, it's always per object.

    What exactly do you mean by "select several records"?

  • Just what I need. Thank you very much!

    And the last question :)

    the field 'filter' at users_roles table, what does it mean?

    `filter` enum('','A','D','R') NOT NULL DEFAULT '' 
  • These are special permission modifiers.

    A = All access. A person that has a role with this modifier will have access to everything, in other words has_access() will always return true. By default this is used for the SuperAdmin role.

    D = Deny all access. A person that has a role with this modifier will have no
    access at all, in other words has_access() will always return false. By default this is used for the Banned role.

    R = Revoke. The permissions assigned to this role will be revoked from this user, even if the permission has been assigned to the user via other means (other role, group or user permissions)
  • How can I check permissions for specified user ID. I use orm auth driver. 

    I think this example: http://fuelphp.com/docs/packages/auth/types/acl.html#/method_has_access
    has misplaced brackets. 

    Should this work: Auth::acl()->has_access('comments.create', array('Ormauth', 1)) for user ID 1?
  • Auth only operates on the current logged in user, there is no method to do anything on a specific user id.
  • How about work around:

    Auth::force_login(  $other_user_id );
    Auth::has_access( $condition );
    Auth::force_login(  $original_user_id );

    That works I think, just want to make sure I don't mess something up that I'm not aware of now.
    And... it actually does, hmm... It logs the user out...
  • That should work fine, but it's indeed very clumsy. I have to take this into account for Auth v2.
  • I actually had to heavily modify ormacl.php to make it work for me. Not sure if I do not fully understand your ACL, but I had problems when I would store multiple group and role permissions. There's a break there in foreach loops when calculating array_intersect that will break processing all my entries once first is matched. 

    Also using action indexes instead full action name as in when creating original permissions is quite hard to debug when looking at database rows. So I choose to go with json instead of serializing permissions and full action names, that helps me debug application. 

    So I have it finally working as needed now for my purposes with exception of GUI that I created to manage users permissions, because I have no way now to verify given user permissions with has_access method without logging user out of the app. 

    I know I can do it with querying the model, but the reason I would prefer has_access is that it gives me true reflection of how the permission check is being processed vs how they supposed to be.
  • Are you sure you're on the latest codebase? These issues have been fixed quite some time ago.

    Ormauth was developed for our applications, and added to the framework later. The reason it doesn't have a check on an arbitrary user is two-fold: none of the Auth classes support something like that, and we've never had a use for it.

    Our admin backend has a GUI that works fine for users, groups, roles and permissions, without the need for such a check. In it's default skin it looks like this:
    http://i.imgur.com/YSrGnq9.png http://i.imgur.com/PaW84s4.png
  • I was using official 1.7 Framework which I installed auth package there with oil.
    My GUI has a list of specific permissions per controller and action that I need to be able to modify per user individually and has_access method would be best to confirm that specific permissions have or have not been granted, especially when they combine with role and group permissions etc. 

    I am wrapping up some work on this app within next few days so I will share the screenshots to illustrate it for a reference here. Thanks for all your help!
  • For next time, when you bump into issues, always check the latest development branch to see if it is already addressed. We don't release new versions for every bug fixed.

    If your GUI is constructed properly, there is no need to verify the rights using an has_access call? It would require calculating that users effective rights, which is quite a complex task.

    I've been trying to get our admin backend open sourced, but so far no go, it's seen as a company asset, the Ormauth stuff was the most I could get out of it.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion