How should I be implementing my ACL in a web application?

views:

653

answers:

+1 Q:

How should I be implementing my ACL in a web application?

I've been thinking about the web app I'm about to begin developing and wondering whether my usual approach could be improved.

In my last few apps I've created a table (see below) of roles (such as CREATE POST, EDIT POST etc.) which each have a bitfield applied to them so I can simply assign a user certain rights in registration and check them later on (e.g. $user->hasRight(CREATE_POST)).

I'm wondering if there's a better approach to this. It's certainly confusing when the rights aren't specifically linked to the user (I could have a table where each right is a boolean column but that only sounds like a small improvement) - and what happens if I change some around?

I'm not looking to use standard libraries (the app itself is a learning experience for me: using postgresql, git etc.) although I'm perfectly happy to take inspiration from them to construct my own - so if there's something special you think I should take a look at please say so :)

+2 A:

That's basically the same approach I take in my own web apps (and a bit of trial and error has gone into that for me). The only difference is, I'd probably use a table which has the different permissions as columns, so that if you want to add more permissions later on, you can. Using bits in an integer limits you to a fixed number of permissions, namely as many bits as there are in the integer. Typically that would be 32 which I suppose is probably enough, but I prefer not to limit myself that way.

For what it's worth, that's also the model that phpBB uses (permissions as table columns), and if it's good enough for arguably the most popular PHP web app, it's probably good enough for you ;-)

David Zaslavsky 2009-02-13 16:44:46

I like the idea of using table for ACL. U think you can advice me on how to design this the correct way to achieve ACL. So I have table `Project` that has a one-to-many relationship with `Drawing`, and a table USER. Let say that we have projects `A` and `B`, which has many drawings in it. How can I design so that, I can allow 1 user to view only A, one user to view only B, and 1 user can view both.

Harry Pham 2010-08-31 00:00:28

+1 A:

I'm sure you've found phpgacl already, but here's a link in case you haven't. It can be a little rough to wrap your head around at first, and certainly the library is tricky (time consuming) to implement into a project, but the documentation and demo are EXCELLENT reference points.

PHP Generic Access Control Lists

Adam 2009-02-13 16:47:18

I hadn't but it certainly looks interesting.

Ross 2009-02-13 18:05:19

+1 A:

You could take a look at the documentation of Spring Security (formerly Acegi), which is a widely used Java ACL framework.

The documentation is exhaustive and also describes the various considerations made in the design of bot authentication and authorization. Even without using Java it is worthy reading.

You can view the index page to get an overview and an impression of what Acegi does (and does not) do. You can also skip right to the authorization concepts or even to the database schema.

extraneon 2009-02-13 17:22:50

+1 A:

The Zend Framework has an ACL which is similar to what you're trying to do.

OIS 2009-02-13 20:23:39

+1 A:

ACL approaches in web applications, in general, have been discussed, for example here.

dblock 2009-06-19 19:29:00

ansaurus

tags:

views:

answers:

How should I be implementing my ACL in a web application?

related questions