[TYPO3-english] Extabse access check best practice

Hannes Lau office at hanneslau.de
Wed Sep 9 01:58:01 CEST 2015 

Hey Viktor, Hi List!

> Say, I have a controller with:
> public function getObject($object) {}
>
> And I want to ensure, that action will perform only if
> $object->getOwner() === $loggedInUser
>
> Now the question: how this check is supposed to be?

I don't know about any 'official' solution, but I myself use two 
different ways to control access in my extbase extensions.

4.1) Model based access control
Create an AuthorizeHelper with an authorize method that takes an object 
and an access mode. Depending on the object, required access and the 
current user, the authorize method determines whether access will be 
granted. If so, the authorize method returns true. If access is denied, 
the authorize method kills the app and return HTTP 401.

A downside of this method is, that you have add calls to the authorize 
method to each action that requires access to your model. If you forget 
to add these calls, access will be granted without any checks.


4.2) Action based access control
Create an AuthorizeHelper class with an authorize method that has 
controllerName, actionName and the actionArguments (array) as parameters
Implement a custom controller base class and add a call to the authorize 
method to its initializeAction method. Now you just have to make sure 
that each of controllers extends your controller base class.


Now that I think about it, the two methods can be combined, as the 
actionName based authorize helper could call the model based one.

Something like:

switch($controllerName) {
	case: 'ExampleController':
		switch($actionName) {
			case 'show':
				$object = $actionArguments[0];
				$authorizeHelper->$authorize(
					$object,
					AuthorizeHelper::READ
				)
			break;
		}
	break;
}

return false; // leads to $GLOBALS['TSFE']->pageUnavailableAndExit(…)




> 3. Some heavy system, based on signals, sent before action emitted or so.

This sounds even better than the solutions I use ;)

Cheers,
Hannes

-- 
Hannes Lau
[Berlin, GMT+2]
Tel: +49 30 45096367
Mob: +49 179 1304344

More information about the TYPO3-english mailing list