Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Zend Framework Blog:
Manage permissions with zend-permissions-acl
May 10, 2017 @ 13:19:23

The Zend Framework blog is back with their latest installment in their authentication and authorization series with the Zend Expressive framework. In this latest post they show the use of the zend-permissions-acl component to provide another kind of access control evaluation (as opposed to the role-based access control shown in a previous article).

The last couple posts have been around authorization, the act of determining if a given identity has access to a resource. We covered usage of role based access controls, as well as middleware that uses an RBAC.

In this post, we'll explore another option provided by Zend Framework, zend-permissions-acl, which implements Access Control Lists (ACL).

This post will follow the same basic format as the one covering zend-permissions-rbac, using the same basic examples.

They start off the post as they've done with the others, showing how to install the component and defining some basic vocabulary so everyone's on the same page. It then starts on creating an access control list instance, defining some roles in that ACL and some example isAllowed checks for evaluating those permissions. With that in place, the tutorial moves on to resources, role inheritance and resource inheritance. Finally, they talk about ACLs in general, what they should contain and how to add in custom assertions if the need should arise.

tagged: zendframework zendexpressive permissions zendpermissionsacl tutorial component

Link: https://framework.zend.com/blog/2017-05-09-zend-permissions-acl.html

Easy roles and permissions in Laravel 5.4
May 03, 2017 @ 12:06:41

On the QCode.in site Saqueib Ansari has written up a tutorial showing how to use a package in Laravel applications to manage roles and permissions easily. This package, spatie/laravel-permission, compliments the current Laravel roles/permissions handling with a few handy features that make management and evaluation simpler.

Although laravel comes with Policies to handle the authorization but I wanted to have an option to just create permissions in the database which we can manage by a UI in the admin panel, pretty standard. we can implement our own role and permission from scratch but I am going to use [spatie/laravel-permission](https://github.com/spatie/laravel-permission) package for this. This package was inspired by Jeffrey ways screencast and it’s very well maintained and very easy to use. It has everything we need and plays very well with Laravel Gate and Policies implementations.

He walks through the creation of a new Laravel application, running the auth:make to generate the authentication functionality and adding the spatie/laravel-permission package to the service provider. He creates several models for permissions and roles and updates the User model with a new trait. Once the migrations are run, he creates a default permission set. Then it's on to the code for the endpoints to work with roles (including syncing them with permissions). He then moves over to the views, showing how to use the can helper to determine if a user has access, creating an Authorizable trait and an AuthorizationException handler. Finally the tutorial wraps up with the roles and permissions management functionality complete with code and screenshots of the result.

tagged: laravel roles permissions tutorial package laravelpermission spatie management

Link: http://www.qcode.in/easy-roles-and-permissions-in-laravel-5-4

Zend Framework Blog:
Manage permissions with zend-permissions-rbac
May 02, 2017 @ 09:23:48

Continuing on from their previous tutorial looking at auth in Expressive middleware, the Zend Framework blog (and author Matthew Weier O'Phinney) shows an example of using the "zend-permissions-rbac" package from the Zend Framework to handle role-based access control in your application.

In our previous post, we covered authentication of a user via Expressive middleware. In that post, we indicated that we would later discuss authorization, which is the activity of checking if an authenticated user has permissions to perform a specific action, from within the context of a middleware application.

Before we do that, however, we thought we'd introduce zend-permissions-rbac, our lightweight role-based access control (RBAC) implementation.

The article starts off with the Composer command to get the package installed and some basic vocabulary around the role-based access control system. It then gets into some of the basics around creating a role and checking to see if a user (by identifier) has access to a permission. The post also includes an example of how to handle undefined roles more gracefully than the default exception. It goes on to cover role inheritance and the creation of a first "real world" example using the package for complex evaluation. This also includes assigning users roles using an Identity class and how to write custom assertions.

tagged: permissions zendframework rbac rolebased accesscontrol permission role tutorial package

Link: https://framework.zend.com/blog/2017-04-27-zend-permissions-rbac.html

Gonzalo Ayuso's Blog:
How to protect from SQL Injection with PHP
Feb 08, 2012 @ 08:07:05

In a recent post to his blog, Gonzalo Ayuso shares a few tips on preventing SQL injection attacks on your applications.

Security is a part of our work as developers. We need to ensure our applications against malicious attacks. SQL Injection is one of the most common possible attacks. Basically SQL Injection is one kind of attack that happens when someone injects SQL statements in our application. You can find a lot of info about SQL Injection attack. Basically you need to follow the security golden rule: "Filter input, Escape output".

He advocates the use of the PDO abstraction layer to filter out a lot of the issues. Using its prepared statements, you can easily strip out things that just adding slashes to user input wouldn't prevent. He also includes a reminder about database permissions - allowing only certain users the ability to, for example, delete can help provide one more level of security (in other words, don't use a "super user" in production).

tagged: sql injection pdo protect database permissions tutorial


Wrangling with the Facebook Graph API
Dec 02, 2011 @ 13:37:09

On the NetTuts.com site today they have a (very complete) guide to help you wrangle the Facebook Graph API and make it useful for your application. It makes use of the official Facebook PHP SDK to interface with the Graph API.

Have you ever wanted to learn how to make your applications more social with Facebook? It’s much easier than you think! In this tutorial, we’ll be building an application that reads and publishes data to and from Facebook using Facebook’s Graph API.

The tutorial helps you get signed up on the Facebook developer site, create a first sample application, set up the SDK and make a simple page (with an added bonus of using the Twitter Boostrap for look/feed). There's a section covering permissions, what kind of data you can expect publicly for both users and posts. They wrap it up with an example of posting back to Facebook though the API and updating the status on your account. The complete code for the tutorial is also available for download.

tagged: facebook graph api tutorial sdk permissions


File Security and Resources with PHP
Nov 23, 2011 @ 16:23:27

In the fourth part of their series looking at working with the filesystem in PHP, DevShed has posted a new tutorial focusing on security and permission handling for files/resources.

These days, security is paramount to any server installation, large or small. Most modern operating systems have embraced the concept of the separation of file rights via a user/group ownership paradigm, which, when properly configured, offers a wonderfully convenient and powerful means for securing data. In this section, you'll learn how to use PHP's built-in functionality to review and manage these permissions.

They introduce functions like:

Sample code is also included to show how to open and close a file.

tagged: file security resource permissions function tutorial


How to Use CakePHP's Access Control Lists
Jul 30, 2010 @ 15:13:20

On NETTUTS.com today there's a new detailed tutorial on how to use the access control list functionality that comes with the CakePHP framework.

If you’re building a CMS, you'll probably need different user roles—superusers, admins, users - with different permission levels. Too complicated to code? Enter CakePHP's ACL (Access Control Lists). With the right setup, you’ll be checking user permissions with just one line.

They talk about what "access control lists" are but shows you an example of one including the database tables and the full scripts for the Users controller, a model to hook into the database and the view for output to the user. They include methods for denying access, checking permissions, and modifying a user's permissions.

tagged: cakephp framework acl accesscontrollist permissions


Brandon Savage's Blog:
Controlling Access: Zend_Navigation and Zend_Acl
Apr 02, 2010 @ 08:59:55

In the next part of his Zend_Navigation series Brandon Savage takes a look at integrating it with Zend_Acl to add permissions/roles into the mix, showing certain things for certain users.

What happens when you have special areas of your site, say for subscribers or administrators? Controlling access is something that all web developers must do at some point. This is where integration between Zend_Navigation and Zend_Acl comes in.

He shows how to set up the access control levels for an "Admin" section in an example navigation array. It uses the "resource" and "privilege" attributes to define the group and role that has access to that navigation item. Then, with a "setAcl" call you can pull that information in and the two lines of code to output it.

tagged: zendnavigation aendacl permissions access


Justin's Blog:
How to secure your wordpress blog - part 2
Apr 15, 2009 @ 11:19:47

Justin had written up a previous article with a few quick ways to secure your WordPress blog and he's come back with a few more helpful hints on how to keep you and your blog safe.

The following is a list of some additional changes that you can make to improve the security of your wordpress installation (Backup wp-config.php and your db tables before trying the following).

Here's his new list of recommendations:

  • Change the default table prefix
  • Install WP-Scanner
  • Change permissions on the WordPress to only be writable by you and root
tagged: secure wordpress blog table prefix permissions wpscanner


Nessa's Blog:
Working with Permissions in PHP
Dec 24, 2007 @ 09:22:00

On her blog Nessa has a brief look at working with permissions with PHP via three functions - chown, chgrp and chmod.

PHP uses the same command as *nix systems when dealing with changing permissions for files. These commands are particularly useful in situations where PHP runs as a different user on the system, which is common when PHP is compiled as an Apache user.

She includes a basic syntax for each of them and how one (chmod) could be used in an example of file creation.

tagged: permissions chmod chgrp chown function file permissions chmod chgrp chown function file