[TYPO3-mvc] access control & localization: are they killing the idea of extbase by now?
Andreas Rieser
A.Rieser at T3site.com
Thu Jan 7 02:31:44 CET 2010
Hi Sebastian and Masi!
Am 06.01.2010 um 15:49 schrieb Sebastian Kurfürst:
>> Well, implementing Access Control via AOP is beautiful - but no
>> AOP no
>> Access Control doesn't convince me ;-) Sadly you are right, there
>> is not
>> to much access control stuff in pibase - atm I can only think of the
>> typical cObj->enableFields() for generating additional stuff for your
>> where-clauses. But I think it might be a good idea to put
>> something like
>> this and perhaps a bit more in Extbase.
> I'll be happy to discuss any API somebody comes up with :-)
The first question should be, what makes sense here. We already
mentioned three totally different things:
- cObj->enableFields()
from the end of http://typo3.org/documentation/document-library/
tutorials/doc_tut_frontend/0.0.1/view/3/2/
$this->cObj->enableFields("pages"). // Include conditions for
enableFields
In the case above, the call to enableFields returns this SQL condition:
AND NOT pages.deleted
AND NOT pages.hidden
AND (pages.starttime<=1011726642)
AND (pages.endtime=0 OR pages.endtime>1011726642)
AND pages.fe_group IN (0,-1)
Im pretty sure that extbase already takes care of some of these
features, e.g. deleted...
I have no idea how far this has been implemented yet. Maybe Jochen,
can help us out here?
- FE User / FE Group
That's something I throwed on the list. For me this means a really
basic access control mechanism. It's a bit like the last part of the
where-clause above where the group field is checked. But it also
should allow to check for a list of users. This has to be attached to
each object like the typical ACL. If the logged in fe user belongs to
a listed group or is in the list of users, the object should be
accessable to him. But you can not define which actions are allowed
to the fe user. In most of my development cases this was totally
sufficient. My users were in several groups that enabled
functionality for them (= access to controllers & actions). With the
basic access control above you could decide which objects are
available to them. Of course they could use all controllers & actions
that are available to them, on all the objects that are available to
them.
- ACL
At least Sebastian is pretty experienced with acl's because of his
be_acl extension. ACL covers the part that is missing in my
simplified access control mechanism.
So here you can define which users and groups are able to work with
which controllers & actions for every single object in the system.
So far so good - but let's have a look at FLOW3 features:
Security Framework
Clear separation of security concerns trough Aspect-Oriented
Programming
Default security by convention (eg. naming of methods)
User, group and role support
Extensive monitoring support
Of course configurable
What's new on the list is role support. For a short introduction have
a look at http://csrc.nist.gov/groups/SNS/rbac/documents/
design_implementation/Intro_role_based_access.htm
Correct me if I got it wrong, but I think role support is something
that brings back the fun to your life if you are working with ACL's
on a daily basis ;-)
If anything is missing in this list, please bring it in.
My answer to this first question is, that acl & role support are a
nice to have but not really needed as we didn't have anything like
out-of-the-box access control before.
For me working with users & groups is ok. When we get this up and
running we could have a look at FLOW3 again and decide if anything
more makes sense.
What would be needed is a central configuration posibility to allow/
disallow access to controllers&actions for users and groups. A really
nice thing would be a small configuration manager as backend module,
where you can assign users & groups to the available
controllers&actions. The resulting configuration files could (?) be
compatible to FLOW3 or at least the same module could export a FLOW3
format as well. I'm pretty sure that the part for putting a check
somewhere in the dispatcher of extbase is not that hard.
So, what do you think of postponing ACL & Roles by now?
After we found a consensus we can discuss a possible API.
>> For me the key question is, does it make sense to use "extbase" the
>> other way too. By creating very basic v4 compatible localization and
>> access control features in extbase now, most of the extbase-based
>> extension would use the same api. If v5 comes in we would find a
>> way to
>> develop the same api there with an v5-"extbase" package. What do
>> you and
>> especially Jochen think about this?
> I think while it is generally possible, to me it sounds like very much
> work for the last 5% - so for only a marginal gain. I guess I wouldn't
> work on that, but if somebody wants to try, why not? :)
I'm not sure if this will be a big deal, but I guess not. For me this
aren't the last 5% because it's clear that extbase will never become
FLOW3. What I imagine would basically be a small workaround, almost
like a wrapper. There will be a v5 access control and localization
concept. Yet there is no answer to the question if the differences
are some sort of "bridgeable" or not, but to me this doesn't matter
right now. I'm pretty sure there will be something around like
languages or FE Users & Groups - and so it should be a doable task.
Im just talking about something like an importer and the wrapper
class called "extbase" for providing the old v4 extbase api.
> Given the complex possibilities for localization by overlaying
> "writing back" an object is probably
> not easy. As long as I can localize the records via standard BE and
> display them correctly in the FE
> I'm content. Actually tslib offers IMHO also no support for editing
> of localized records for FE
> users. So here's the same situation as with ACLs, it would be nice
> to have the feature, but there's
> not a lack in comparison to the "classic" features.
> Masi
Yes, I know - and these are points where I start getting very
frustrated with v4 FE development.
Well, until now we always found a way to convince people to work with
the BE list-module and spare the development costs ;-)
But I guess with Jochen and extbase my frustration finally comes to
an end. To take another really promising quote from forge:
Bug #4639 Localized Domain Models can not be persisted
2009-11-27 17:50 - Jochen Rau
Target version set to Extbase 1.1.0
I'm really looking forward to this!
Greets,
Andreas Rieser
More information about the TYPO3-project-typo3v4mvc
mailing list