Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Laravel News:
Bouncer: a Laravel Package for Role and Ability Authorization
Jul 18, 2017 @ 09:23:14

On the Laravel News site there's a new post highlighting a package that can help you enforce roles and permissions in your application, enhancing the existing gates functionality.

Bouncer is an authorization package by Joseph Silber which allows role and ability checks at Laravel’s authorization gate. The package is described as follows: "Bouncer provides a mechanism to handle roles and abilities in Laravel’s ACL. With an expressive and fluent syntax, it stays out of your way as much as possible: use it when you want, ignore it when you don’t."

Bouncer makes it trivial to quickly create roles and abilities with a fluent API that creates them automatically.

The post includes some examples of the library in use, creating roles and abilities with its fluent API and the use of a trait to integrate it into other classes. They also include a bit about how the automatic role creation works and using the functionality in middleware. It also talks about how Bouncer intercepts "can" checks for its own evaluations and how to get all of the abilities for the current user.

tagged: laravel package authorization bouncer tutorial introduction

Link: https://laravel-news.com/bouncer-authorization-package

Zend Framework Blog:
Authorize users using Middleware
May 04, 2017 @ 09:40:56

Previously the Zend Framework blog posted a tutorial showed you how to authenticate a user with middleware in a Zend Expressive application. In this latest post in the series they move on to the next step: authorization.

In a previous post, we demonstrated how to authenticate a middleware application in PHP. In this post we will continue the discussion, showing how to manage authorizations.

We will start from an authenticated user and demonstrate how to allow or disable actions for specific users. We will collect users by groups and we will use a Role-Based Access Control (RBAC) system to manage the authorizations.

To implement RBAC, we will consume zendframework/zend-permissions-rbac.

They start by pulling in the Zend Expressive tooling support and creating the Permission module. The tutorial then gets into the basics of using a role-based access control system and the roles they're going to define: admin, editor and contributor (as well as what each can do). The roles are then defined in a configuration file and briefly explained. Next is the creation of the middleware to authorize the user and its action in the application, performing a check against the roles of the user on the requirements of the action. There's also an example of setting up role inheritance and how to configure the resulting route to fire off the authorization handling.

tagged: zendexpressive middleware authorization zendrbac rbac rolebased accesscontrol tutorial

Link: https://framework.zend.com/blog/2017-05-04-authorization-middleware.html

Laravel News:
An Introduction to Laravel Authorization Gates
Apr 20, 2017 @ 15:21:20

On the Laravel News site there's a new post introducing you to "authorization gates" in Laravel, a feature that allows you to ensure a user has the permissions to perform the action being requested.

Laravel Gate has an elegant mechanism to ensure users are authorized to perform actions on resources. Before version 5.1, developers used ACL packages such as Entrust or Sentinel along with middlewares for authorization.

The problem with this approach is the permissions you attach to users are just flags; they don’t encode the complex logic of the permission for some use cases. We have to write the actual access logic within controllers.

They mention some advantages to using Gate over other external packages (like Sentinel or Entrust) by being "opinionated" about its use and the decoupling of access logic from business logic. They then share an example in a basic Laravel application, protecting "posts" based on the user's current roles. Models, migrations the auth generation are all included. They then show how to define policies in the AuthServiceProvider for CRUD operations on the posts and how to enforce their checks in the Post controller execution flow.

tagged: laravel gates authorization introduction tutorial

Link: https://laravel-news.com/authorization-gates

Stovepipe Systems:
Symfony Security Roles vs. Voters
Aug 22, 2016 @ 10:08:28

On the Stovepipe Systems blog author Iltar van der Berg has retuned with a continuation of his series on Symfony security basics with this new post covering voters and roles.

In my previous blog post I've explained the basics of authentication, authorization and how this is dealt with in Symfony. Due to the size of the post, I've left out several important topics such as roles and voters; Both an equally important part of authentication and authorization. A common misconception is that roles should be used to check permissions. In fact, they should definitely not be used to check permissions!

He goes on to explain where "roles" come into the process of authentication (not authorization) and how they describe something about the user of the system. With that defined he moves on to the "voters": functionality that "vote" on attributes related to the user/request/resource/etc. and return a pass or fail decision based on their logic. He explains why voters are probably more what most developers are looking for and some reasons to use them over roles. He then ends the post showing how to create your own custom voter and configure it into your application.

tagged: tutorial symfony authorization voter role introduction custom

Link: https://stovepipe.systems/post/symfony-security-roles-vs-voters

Alex Bilbie:
OAuth 2.0 Device Flow Grant
Apr 20, 2016 @ 11:58:50

In a new post to his site Alex Bilbie looks at a good approach to simplifying the OAuth 2 authorization flow for a device and some of the simple PHP that can power it.

When signing into apps and services on devices such as a Playstation or an Apple TV it can be immensely frustrating experience. Generally you will ordeal something similar to one of the following scenarios: The utterly terrible experience whereby you don’t have anything other than an onscreen keyboard [or] A slightly less terrible experience whereby you can pair a bluetooth keyboard to enter your username and that crazy long password.

[...] There are some apps however - such as Youtube for Apple TV - that have a much better end user experience.

He talks more about this better experience involving a simple code presented to the user, a special URL to link the device and the typical OAuth-ish authorization page to link the request to your account. He then explains how it would work with a PHP backend: making the request to the auth server, returning a message with the codes and URL to pass along and the "device code" it responds with. He also includes a few examples of error responses for polling too quickly, pending authorization and a denied request. This is all based on the (currently in draft) OAuth 2.0 Device Flow Grant currently in the works.

tagged: device flow grant oauth2 example draft standard authorization

Link: http://alexbilbie.com/2016/04/oauth-2-device-flow-grant

Lorna Mitchell:
Simple Access Control for CakePHP3
Apr 11, 2016 @ 09:35:01

Lorna Mitchell has a post to her site with some helpful instructions for the CakePHP3 users out there around access control. The framework comes with no built-in functionality for authentication so she shows how to set up your own.

The newest version of CakePHP doesn't ship with built in ACL, which means you need to write your own. Personally I think this is a smart move, having looked at the one-size-fits-all solutions for previous versions of the framework and knowing that every system has different requirements, this version has good hooks and documentation on how to add something that works for your application. I thought I'd share what worked for mine.

She starts with some of the initial setup: creating the relationship between the users and her custom roles table and "baking" the controllers and templates. She then goes through the use of the authorize method and how it can handle the user/request combination to determine access. She includes the code for her auth class, showing both the authorize method and a simplified userHasRole method. She walks you through the code and one downfall the setup has: not being able to validate access in views and templates.

tagged: access control cakephp3 user loggedin authorization tutorial

Link: http://www.lornajane.net/posts/2016/simple-access-control-cakephp3

Mohamed Said:
Building an API for 3rd party applications
Mar 30, 2016 @ 09:30:31

In this post to his site Mohamed Said shows you how to build an API that allows for easier integration with your content/functionality by 3rd party applications. This example uses the Laravel framework but the ideas could be applied in any framework.

APIs are cool, & laravel can handle all the coolness you may desire. Here we talk about building an API for third party applications and allowing them to communicate with your application on behalf of users.

He starts where any good project should: planning for what features need to be included and the flow of the request/response process. He then walks you through the whole process for setting up the API:

  • Updating the routes for the API request endpoints
  • Creating the new Auth and Home controllers
  • Setting up the migration for the "applications" table
  • Using the firebase/php-jwt library for authentication/authorization handling
  • Registering a token and validating it on the incoming request

He wraps up the post talking about user authentication via a simplified OAuth-ish process flow, making requests using the resulting token and logging the user out (expiring the token).

tagged: api tutorial laravel application integration jwt token authentication authorization

Link: http://themsaid.github.io/laravel-api-3rd-party-20160327/

SitePoint PHP Blog:
Removing the Pain of User Authorization with Sentinel
Sep 21, 2015 @ 14:23:10

The SitePoint PHP blog has posted a tutorial showing you how to "take the pain out of user authorization" with the help of Sentinel, a package from Cartalyst that already includes functionality for both user authorization and authentication.

Most non-basic multi-user applications need some roles and permission levels. If you ever used WordPress, you must have noticed that they have a super admin, admin, editor, author, etc. Simplifying the development and integration of a permission system is what Cartalyst’s Sentinel package is trying to accomplish. The package provides an API for dealing with users, groups, permissions, etc. In this article, we’ll use it to create a small demo app.

They walk through the creation of a simple Slim framework application, installing it, Sentinel and other suggested packages via Composer. They then help you execute the migrations to create the necessary tables and set up a basic front controller file. From there they configure Twig templating, the Illuminate database connection and finally adding a Sentinel instance to the application's DI container. They include code to help you create roles for "user" and "admin". From there the tutorial shows how to create a login & registration form, send a registration email, create permissions and activating users. Finally they build a simple administration page that allows you to hide functionality from normal users.

tagged: tutorial authentication authorization sentinel cartalyst slim illuminate

Link: http://www.sitepoint.com/removing-the-pain-of-user-authorization-with-sentinel/

Matt Stauffer:
ACL (Access Control List) Authorization in Laravel 5.1
Sep 10, 2015 @ 09:41:45

Matt Stauffer has continued his series looking at Laravel 5.1 with a new post covering the ACL functionality recently added in 5.1.1. This functionality adds on to the pre-existing authentication handling that has been a part of the framework for a while.

The authentication that Laravel provides out-of-the-box makes it simple to get user signup, login, logout, and password resets up and running quickly and easily.

But if you needed to control access to certain sections of the site, or turn on or off particular pieces of a page for non-admins, or ensure someone can only edit their own contacts, you needed to bring in a tool like BeatSwitch Lock or hand-roll the functionality, which would be something called ACL: Access Control Lists, or basically the ability to define someone's ability to do and see certain things based on attributes of their user record. Thankfully, Taylor and Adam Wathan wrote an ACL layer in Laravel 5.1.11 that provides this functionality without any added work.

He talks about the main interface to the ACL system, the Gate class/facade, and gives a simple example of it in use. He then gets into how it works in defining abilities and checking access levels with both the facade and on the model level. He also shows how to use the checks in Blade templates and how to intercept the evaluations for custom evaluation. He ends the post talking about the concept of policies and controller authorization to allow for additional checking.

tagged: acl accesscontrol authorization laravel5 tutorial series part12 gate

Link: https://mattstauffer.co/blog/acl-access-control-list-authorization-in-laravel-5-1

Community News:
Laravel 5 Now Includes Authorization
Sep 01, 2015 @ 10:50:41

In the latest release of the Laravel framework (v5.1.1) they've introduced authorization handling to the native framework. This allows you to integrate permissions checks and perform policy validation both on the backend and in the templates.

In addition to providing authentication services out of the box, Laravel also provides a simple way to organize authorization logic and control access to resources. There are a variety of methods and helpers to assist you in organizing your authorization logic.

The functionality includes the concepts of "abilities" (permissions, essentially) and validate the allow/deny status based on object properties, such as Users. The documentation shows how to perform the evaluations in the controllers, user model, form requests and even in the Blade templates. There's also a section on creating policies for more complex evaluations than just one-off permission checks.

To get a feel for what the community things of this new functionality, be sure to check out this Reddit thread with feedback, both positive and negative, on how it was implemented.

tagged: laravel framework authorization functionality permission policy allow deny

Link: http://laravel.com/docs/5.1/authorization