Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Laravel News:
Two Best Laravel Packages to Manage Roles/Permissions
Jul 21, 2017 @ 09:48:46

The Laravel News site has posted an in-depth look at two packages Laravel users can implement to add in role/permission management: Bouncer and Laravel-permission.

Roles and permissions are an important part of many web applications. Laravel historically had a lot of packages for them, and improved the core code as well. So what is the situation on this market today? What packages are the best to use? I’ve picked two.

The post starts off by sharing a few reasons why you might even need these packages with the functionality that Laravel already includes. Most of the reasoning comes from the fact that the framework allows for checks but doesn't provide role/permission management. It then gets into what each of the package provide, how to install them and some example code to put them to use. It also looks at the database structure behind them and how they use that to store the authorization data.

tagged: laravel role permission package bouncer laravelpermission introduction tutorial

Link: https://laravel-news.com/two-best-roles-permissions-packages

Scotch.io:
User Authorization in Laravel 5.4 with Spatie Laravel-Permission
May 16, 2017 @ 11:28:09

On the Scotch.io site a new tutorial has been posted showing you how to use the Laravel-permission package (from Spatie) to more easily handle permission setup and validation in a Laravel application.

When building an application, we often need to set up an access control list (ACL). An ACL specifies the level of permission granted to a user of an application. For example a user John may have the permission to read and write to a resource while another user Smith may have the permission only to read the resource.

In this tutorial, I will teach you how to add access control to a Laravel app using Laravel-permission package. For this tutorial we will build a simple blog application where users can be assigned different levels of permission.

The tutorial then walks though the installation of the package and some of the new tables it adds to the database when you run the included migrations. It then talks about some of the methods that can be used, both on the backend and in Blade templates, to evaluate if the current user has the roles required. Next up is the creation of the controllers to handle the basic CRUD tasks and working with the blog posts and views to set up the permissions and roles. Finally the tutorial shows the code required to evaluate the roles and permissions of the user and an example of middleware that performs a pre-check to see if a user even has access to manage various pieces of the application.

tagged: tutorial spatie permission role package introduction blog acl ui interface

Link: https://scotch.io/tutorials/user-authorization-in-laravel-54-with-spatie-laravel-permission

Zend Framework Blog:
Manage permissions with zend-permissions-rbac
May 02, 2017 @ 09:23:48

Continuing on from their previous tutorial looking at auth in Expressive middleware, the Zend Framework blog (and author Matthew Weier O'Phinney) shows an example of using the "zend-permissions-rbac" package from the Zend Framework to handle role-based access control in your application.

In our previous post, we covered authentication of a user via Expressive middleware. In that post, we indicated that we would later discuss authorization, which is the activity of checking if an authenticated user has permissions to perform a specific action, from within the context of a middleware application.

Before we do that, however, we thought we'd introduce zend-permissions-rbac, our lightweight role-based access control (RBAC) implementation.

The article starts off with the Composer command to get the package installed and some basic vocabulary around the role-based access control system. It then gets into some of the basics around creating a role and checking to see if a user (by identifier) has access to a permission. The post also includes an example of how to handle undefined roles more gracefully than the default exception. It goes on to cover role inheritance and the creation of a first "real world" example using the package for complex evaluation. This also includes assigning users roles using an Identity class and how to write custom assertions.

tagged: permissions zendframework rbac rolebased accesscontrol permission role tutorial package

Link: https://framework.zend.com/blog/2017-04-27-zend-permissions-rbac.html

Community News:
Laravel 5 Now Includes Authorization
Sep 01, 2015 @ 10:50:41

In the latest release of the Laravel framework (v5.1.1) they've introduced authorization handling to the native framework. This allows you to integrate permissions checks and perform policy validation both on the backend and in the templates.

In addition to providing authentication services out of the box, Laravel also provides a simple way to organize authorization logic and control access to resources. There are a variety of methods and helpers to assist you in organizing your authorization logic.

The functionality includes the concepts of "abilities" (permissions, essentially) and validate the allow/deny status based on object properties, such as Users. The documentation shows how to perform the evaluations in the controllers, user model, form requests and even in the Blade templates. There's also a section on creating policies for more complex evaluations than just one-off permission checks.

To get a feel for what the community things of this new functionality, be sure to check out this Reddit thread with feedback, both positive and negative, on how it was implemented.

tagged: laravel framework authorization functionality permission policy allow deny

Link: http://laravel.com/docs/5.1/authorization

Developer.com:
Creating a Custom ACL in PHP
May 11, 2012 @ 10:53:23

On Developer.com there's a recent tutorial showing you how to create a basic access control list in PHP (not in any specific framework). It allows you to define not only user permissions but groups and group permissions as well.

So, what are the advantages of an ACL model? The first advantage is security. Using this model will make your application more secure and less vulnerable to exploits. When securing any program, it is good to give to the user only the privileges he/she needs. That means that, for example, you should not give super administrator privileges to someone who will only manage website content. The ACL security model allows you to do just that. The second advantage is the easiness of user management. You can divide users into groups, while each group has certain access permissions. Also, you can easily add new user groups, delete the old ones or change group permissions.

They include the database structure you'll need to make the backend work (four tables) and the code to create an "Acl" class with methods to check a user+group for a permission, get the permissions for a user and get the permissions for a group. It's a pretty simple system and has a lot more that could be added to it to make it more robust, but it's a good start.

tagged: custom acl access control permission group tutorial database

Link:

PHPMaster.com:
Role Based Access Control in PHP
Mar 13, 2012 @ 13:10:05

On PHPMaster.com today there's a new tutorial posted (from Martin Psinas) about using role-based access controls in PHP-based applications. His method isn't based in any specific framework, so it's easily portable to just about any app out there.

In this article I will discuss my personal favorite approach: role based access control (RBAC). RBAC is a model in which roles are created for various job functions, and permissions to perform certain operations are then tied to roles. A user can be assigned one or multiple roles which restricts their system access to the permissions for which they have been authorized.

He starts with a warning that, if not properly maintained, a role-based system like this can get to be somewhat chaotic so a rules should be in place around the adding and removing of permissions at certain times. His functionality is based on a few database tables - roles, permissions and cross-reference tables between users/roles & permissions/roles. All of the code you'll need to implement the system is included in a Role class, the PrivilegedUser class and the methods you'll need to add/remove/check the logged in user's permissions.

tagged: role access privilege tutorial database permission

Link:

Lorna Mitchell's Blog:
Accessing the Magento Web API
May 05, 2010 @ 15:58:04

On her blog today Lorna Mitchell talks about a problem she encountered with the Magento web API interface - an "Access denied" message that was keeping her out.

I've been working with the Magento Web API lately, and the first problem I ran into was actually getting access to it. Contrary to its reputation, I found some perfectly good documentation outlining how to connect to the service and use it.

A search for a fix to her "access denied" message lead her to this forum post talking about web service permissions and how it relates to user setup. An API key and username are needed to work with the API and can be set up in the user's information.

tagged: magento api interface permission access denied

Link:

Debuggable Blog:
Simple Data Access Control
Aug 25, 2008 @ 07:56:50

In a new post to the Debuggable blog Felix Geisendorfer illustrates a simple access rights system that can be plugged into any CakePHP application you might be developing.

If your application is like most, then you have some basic permission requirements for your data. A simple scenario is the following. Blog posts can only be edited by their owners and administrators. Same goes for viewing unpublished blog posts.

His example modifies the typical "posts" controller to add in a new model (User) with a permission check (can) and a model that implements it into the PostsController to ensure that a user can view any given posting.

tagged: post access control user permission model cakephp framework

Link:

PHPImpact Blog:
Run PHP scripts with different users on the same server
Aug 12, 2008 @ 09:31:52

On the PHP::Impact blog Federico has posted a sort of reminder about a method you can use to run PHP scripts as different users on the same system - suPHP.

suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter.

suPHP runs as an Apache module and works with the local server's permission system to restrict script access to whatever the user's allowances are. He links to this tutorial for more information on setting it up.

tagged: suphp script apache module user permission

Link:

Lee Blue's Blog:
How To Implement A Ruby on Rails style before_filter With The PHP Zend Framework
Feb 04, 2008 @ 14:36:00

Lee Blue has posted something looking to bridge yet another gap between Ruby on Rails and PHP - a method for adding before_filter functionality to PHP.

I often use this when implementing a simple login screen for a password protected section of my application. In a Zend Framework application you can implement a preDispatch() function in a Zend_Controller_Action which will run before an action is dispatched. This lets you setup your filter to check to see if the visitor is logged in or not. If the visitor is not logged in, you can redirect them to the login screen of your application.

He includes example code to show its usefulness - checking to see two things: is a user is logged in and to see if they're allowed to use a certain resource.

tagged: rubyonrails zendframework beforefilter user access permission

Link: