[TYPO3-mvc] Role-Based Access Controll - Request for comments
Michael Knoll
mimi at kaktusteam.de
Tue Jan 18 23:54:56 CET 2011
Hi there,
during the past couple of days, I tried to implement a role-based access
controll system for ExtBase. It's not finished yet but starting to
fullfill my requirements.
Here is a rough sketch of the idea. I introduced a set of tables that
let you look up whether a user is allowed to do something with a single
SQL query. I used the scheme described in [1]. I implemented all classes
required to work with this stuff in Extbase and started to write a
little admin frontend.
You can set up your configuration via Typoscript which will be imported
into the extension in a setup process (did not find a better solution
yet). A TS snippet is attached below.
To be compatible with ExtBase I introduced some annotations for
controller actions:
/**
* new action
*
* @param Tx_Yag_Domain_Model_Gallery $newGallery
* @return string Rendered new action
* @rbacNeedsAccess
* @rbacObject Gallery
* @rbacAction create
*/
public function newAction(Tx_Yag_Domain_Model_Gallery $newGallery) {
$this->view->assign('newGallery', $newGallery);
}
At the moment, I use an abstract controller to handle initialize method
an do the check for access there (not really nice... but you get the idea):
final protected function initializeAction() {
// TODO refactor me!!!
$this->preInitializeAction();
$this->feUser = $this->getLoggedInUserObject();
$controller = $this->request->getControllerObjectName();
$action = $this->actionMethodName;
$methodTags =
$this->reflectionService->getMethodTagsValues($controller, $action);
if (array_key_exists('rbacNeedsAccess', $methodTags)) {
if ($this->feUser) {
$rbacUser = $this->getRbacUser();
$rbacObject = $methodTags['rbacObject'][0];
$rbacAction = $methodTags['rbacAction'][0];
if
(!($this->rbacAccessControllService->hasAccess($rbacUser[0]->getUid(),
$rbacObject, $rbacAction))) {
// Access denied action
}
} else {
// Do whatever you want to do, if user
// is not logged in
}
}
$this->postInitializeAction();
}
My next step would be to create a fluid widget that lets you handle the
access configuration for your extension without writing more code than a
single line of fluid-viewhelper code.
As soon as I get my GIT pushing my project to FORGE (any help here is
welcome :-) ) I will push my code to a FORGE project and send you the
download - link.
It would be great to get some feedback on this...
Greez
Mimi
[1]
http://www.sqlrecipes.com/database_design/fine_grained_role_based_access_control_rbac_system-3/
## TS configuration
plugin.tx_yag.settings.rbacSettings {
####################################################
# Set up roles that can be assigned to fe_users
####################################################
roles {
administrator {
description = Role for all administrators having full access to
all functions on all objects
importance = 100
privileges {
10 {
privilege = all_actions
domain = tx_yag_all_objects
isAllowed = 1
}
}
}
loggedInUser {
description = Role for all logged in users
importance = 10
privileges {
10 {
privilege = create
domain = tx_yag_comment
isAllowed = 1
}
}
}
guest {
description = Role for all guests visiting gallery
importance = 0
privileges {
view_action {
privilege = view
domain = tx_yag_all_objects
isAllowed = 1
}
}
}
}
####################################################
# Set up privileges that can be assigned to roles
# for a certain domain
####################################################
privileges {
all_actions {
actions = view, create, update, delete, sort
isSingular = 0
}
create {
actions = create
isSingular = 1
}
view {
actions = view
isSingular = 1
}
}
####################################################
# Set up actions that can be combined to privileges
####################################################
actions {
view {
description = View action
}
create {
description = Create action
}
update {
description = Update action
}
delete {
description = Delete action
}
sort {
description = Sort action
}
}
####################################################
# Set up domains that roles can be defined upon
# Make sure you give your domain an extension-
# specific name
####################################################
domains {
tx_yag_all_objects {
isSingular = false
objects = Album, Gallery, Item, ItemMeta
}
tx_yag_album {
isSingular = true
objects = Album
}
tx_yag_gallery {
isSingular = true
objects = Gallery
}
tx_yag_item {
isSingular = true
objects = Item
}
tx_yag_itemMeta {
isSingular = true
objects = ItemMeta
}
tx_yag_comment {
isSingular = true
objects = Comment
}
}
####################################################
# Set up objects that can be combined to domains
####################################################
objects {
Album {
description = Album class in yag
}
Gallery {
description = Gallery class in yag
}
Item {
description = Item class in yag
}
ItemMeta {
description = ItemMeta class in yag
}
Comment {
description = Comment class in yag
}
}
}
More information about the TYPO3-project-typo3v4mvc
mailing list