PHP permission Control System-phpgacl

PHP permission Control System-phpgacl

The Design of permission control has always been a topic discussed in system development and framework structure. We have been discussing how to design a simple, effective, and highly precise permission control granularity.

Translated from phpgacl User Manual

Phpgacl is a set of functions that allow any (user, remote host) object to control permissions on other (page, database) objects. Phpgacl provides mature permission control and simple management, and is fast. More importantly, it is fully open-source and can be obtained from the address below.Http://phpgacl.sourceforge.net/

To run the command, you must first have a relational database to store permission control data. phpgacl is connected to the database through the ADODB database, so you can easily connect to MySQL, PostgreSQL, Oracle, and so on. The ACL System in joomla has undergone some lightweight modifications, mainly because at the database layer, joomla abandoned the use of ADODB and used the database abstract class in joomla to store the database.

Understanding permission Control

The best way to explain permission control is to use some specific instances instead of boring concepts. Han is the ship captain of the Millennium Falcon ship, and Chewie is his second ship carrying passengers including Luke, Obi-Wan, R2D2, and C3PO. han needs to define an access permission for each compartment on the spacecraft, including cockpit, power compartment, rest compartment, and weapon compartment.

"Chewie and I have the right to access all the places," said Captain Han. "But after an unusual super-light propeller fix, I disabled Chewie from approaching the power compartment, and all the passengers were restricted to the rest compartment ". From now on, the permission system we have discussed is actually a Boolean mathematical system. The permission for everyone on the ship to enter each compartment only includes allow and deny. There is no third case.

We now describe the above situation as a permission matrix, which describes who has the right to access this issue. For details, see the description. (0 indicates allow, and X indicates deny ).

The column represents the cabin where the captain Han needs to set permission control, and the row represents the personnel who need to access the cabin. Abstract: "compartment" is the thing that requires permission control. Here we call it "permission control object" access control objects (ACO); "Personnel" is the thing that requires permission to access, this is called "permission requirement object" access request objects (ArO ). Personnel need permissions to enter the compartment. In our terminology, AROs requires permissions to access ACOs. The third type of object is called the attachment permission Object Access extention object (AXO). This will be discussed later. It shares some attributes and forms a permission object together.

Using permission matrix to manage permissions is relatively simple, but it also has some disadvantages.
1. He can perform fine-grained management on everyone if needed.
2. The permission becomes clear at a glance. Whoever has the right to enter the room will find the answer as long as we find the intersection between the personnel and the compartment.
3. It is difficult for him to manage a large permission system. Four sub-passengers have a very small permission system, but if there are thousands of passengers and hundreds of sub-rooms, how troublesome it will be to manage the application matrix, and a lot of precise and lengthy judgments are required. It is difficult for a permission matrix to manage such a system.
4. Statistical troubles. The figure above makes it clear who can enter the power tank. However, it may be difficult to figure out the figure below.

Use phpgacl to define Permissions

The permission matrix is not suitable for permission management of large permission systems, so we need to find a more suitable system to complete this task, the advantages of the inherited matrix must also be eliminated. Phpgacl is a good solution.

Phpgacl is not based on the description permission. On the contrary, he uses a top-down order to describe permissions. He is an elastic system, users are allowed to use a large number of groups to manage permissions. It is easy to know who has the permission to go. Use an ARO tree in phpgacl to define a group and an Aro object. It has the same tree-like relationship with folders and files. The Group is like a folder, and the Aro object is a file.

Now we have designed an ARO tree for the passengers on Han's ship, that is, Aro. First, we have designed a classification for the people on the ship. Here, Han and Chewie are sailing, while the rest are passengers.
Millenniumfalconpassengersgroup
C-Rew Group
│ ─Han Aro
│ ── Chewie Aro
-Passengers Group
-Obi-Wan Aro
-Luke Aro
-R2D2 Aro
-C3PO Aro

In fact, this tree does not relate to any permissions. It only classifies the Aro object. Our application permission is actually to assign the ACO object, that is, the compartment to the group or Aro object on the ARO tree. "By default, no one is allowed to enter any room, but the crew can enter any room. Passengers can only enter the rest room," Han said"
Millenniumfalconpassengers
-Crew [Allow: All]
│ ─Han
Chewie │ ──
P-assengers [Allow: Lounge]
-Obi-Wan
-Luke
-R2D2
-C3PO

Now we can explain this tree from top to bottom. First, the default permission is always rejected. Therefore, the initial situation for all people including the crew members is that they refuse to enter any compartment, But Han says, "the crew members can enter any compartment ", in this case, the permission override default permission is allowed to be overwritten, so the final crew member has the right to enter any compartment, while the passenger is only allowed to enter the rest compartment. This method is clearer than the Matrix to describe permissions. You can clearly understand who can go, and why does he have such permissions? (Han and Chewie can go anywhere on the ship, because they belong to the same crew group)

To sum up

Access control objects (ACOs) Permission control objects are the objects that we need to control access, such as webpages, databases or cabin.
The access request objects (AROs) permission requirement object is the object that requires permission to access, such as a person or remote computer.
The ARO tree defines the hierarchy between the Aro object and the group. A group can contain Aro objects or other groups.
Access is denied by default on the ARO tree.
Permission allocation principle: traverse the entire ARO tree in a certain way and assign specific permissions to Aro or group for each ACO object that appears

This article briefly describes the permission control principles and basic concepts of phpgacl. For more information about the gacl control principles, see the phpgacl manual.