I am part of a team creating a web application using PHP and MySQL. The application will have multiple users with different roles. The application will also be used in a geographically distributed manner. Accordingly we need to create an access control system that operates at the following two levels:
- Controls user permissions for specific php pages i.e. provides or denies access to specific pages (or user interface elements) based on the user’s role. For example: a user may be allowed access to the “Students” page but not to the “Teachers” page.
- Controls user permissions for specific database records i.e. modifies database queries so that only specific records are displayed. For example, for a user at the city level, only those records should be displayed that relate to the user’s particular city, while for a user at the national level, records for ALL CITIES in the country should be displayed.
I need help on designing a system that can handle both these types of access control. Point no. 1 seems to be simple enough. However, I am completely at a loss on how to do point number 2 without hardcoding the information in the SQL queries.
Any help would be appreciated.
Thanks in advance
Vinayak
Advertisement
Answer
I was in similar situation few months ago. I found that tools like Zend_ACL work great if you just check access level to single item (or reasonably low number of them). It fails when you need to get a huge list of items the user is allowed to access. I crafted custom solution to this problem using Business Delegate pattern. BD provides business logic that can be applied in specific context. In this scenario a SQL logic was delivered and used as filtering condition in subselect. See the following diagrams:
(source: epsi.pl)
And sequence diagram that illustrates calls order:
(source: epsi.pl)
I blogged about this solution, unfortunately it’s all in Polish, but you may find pieces of code and diagrams handy. What I can say, the implementation is not a piece of cake, but performance-wise it’s a champion when compared to iterative access checking for each element on the list. Moreover, the infrastructure above handles not only one type of items on the list. It can serve when accessing different lists, be it list of cities, countries, products, or documents as long as items on the list implement IAuthorizable interface.