Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Zend Framework Blog:
Authorize users using Middleware
May 04, 2017 @ 09:40:56

Previously the Zend Framework blog posted a tutorial showed you how to authenticate a user with middleware in a Zend Expressive application. In this latest post in the series they move on to the next step: authorization.

In a previous post, we demonstrated how to authenticate a middleware application in PHP. In this post we will continue the discussion, showing how to manage authorizations.

We will start from an authenticated user and demonstrate how to allow or disable actions for specific users. We will collect users by groups and we will use a Role-Based Access Control (RBAC) system to manage the authorizations.

To implement RBAC, we will consume zendframework/zend-permissions-rbac.

They start by pulling in the Zend Expressive tooling support and creating the Permission module. The tutorial then gets into the basics of using a role-based access control system and the roles they're going to define: admin, editor and contributor (as well as what each can do). The roles are then defined in a configuration file and briefly explained. Next is the creation of the middleware to authorize the user and its action in the application, performing a check against the roles of the user on the requirements of the action. There's also an example of setting up role inheritance and how to configure the resulting route to fire off the authorization handling.

tagged: zendexpressive middleware authorization zendrbac rbac rolebased accesscontrol tutorial

Link: https://framework.zend.com/blog/2017-05-04-authorization-middleware.html

Zend Framework Blog:
Manage permissions with zend-permissions-rbac
May 02, 2017 @ 09:23:48

Continuing on from their previous tutorial looking at auth in Expressive middleware, the Zend Framework blog (and author Matthew Weier O'Phinney) shows an example of using the "zend-permissions-rbac" package from the Zend Framework to handle role-based access control in your application.

In our previous post, we covered authentication of a user via Expressive middleware. In that post, we indicated that we would later discuss authorization, which is the activity of checking if an authenticated user has permissions to perform a specific action, from within the context of a middleware application.

Before we do that, however, we thought we'd introduce zend-permissions-rbac, our lightweight role-based access control (RBAC) implementation.

The article starts off with the Composer command to get the package installed and some basic vocabulary around the role-based access control system. It then gets into some of the basics around creating a role and checking to see if a user (by identifier) has access to a permission. The post also includes an example of how to handle undefined roles more gracefully than the default exception. It goes on to cover role inheritance and the creation of a first "real world" example using the package for complex evaluation. This also includes assigning users roles using an Identity class and how to write custom assertions.

tagged: permissions zendframework rbac rolebased accesscontrol permission role tutorial package

Link: https://framework.zend.com/blog/2017-04-27-zend-permissions-rbac.html

Administering RBAC in PHP 5 CMS Framework
Nov 20, 2008 @ 10:28:15

WebReference.com continues their series looking at user administration in content management systems. This time they look at the importance of user roles and some code to add to help manage them.

Although the operations are simple, it is vital that they be handled correctly. It is generally a poor principle to allow access to the mechanisms of a system rather than providing an interface through class methods. The latter approach ideally allows the creation of a robust interface that changes relatively infrequently, while details of implementation can be modified without affecting the rest of the system.

Their code includes methods to get all roles for a user, check to see which they are permitted to use, add a "permit" role and remove it back out. The tutorial is an excerpt from the Packt book PHP5 CMS Framework Development (Martin Brampton).

tagged: rbac php5 framework tutorial excerpt packt role