Rob Graham - PHP Developer

Does anyone else have this problem or is it always just me...?

I worked on a project about 2 years ago in PHP that had a requirement for fairly complex permissions within security roles. The kind of problem I had, and one I am sure is fairly common was as so...

In our system a client belonged to a group and each group belonged to a reseller on top of that we could also have users who belonged to either no-one, a reseller, a group or a client so we figured there was a need for 3 roles: a superuser who could manage clients in any group, a user who could manage clients in any group within a particular reseller and a user who could only manage clients in a particular group. If we take 'manage' as adding, deleting and updating the details of a client you could say we either needed 3 permissions 'client add', 'client update' and 'client delete' or one permission 'client' with the actions 'add', 'update' and 'delete'. I went for the latter as it seemed quite sensible and meant less permissions and hopefully more flexibility with less coding. This single permission however could not describe in the necessary detail what groups it could add/update/delete in and this was a problem I found was common to all the available security managers for PHP at the time. They could handle simple permissions but when it came to restricting those permissions so they only grant access when certain parameters are true, like when the client is being added to a specific group, they fail.

One way you could solve this problem on a basic security manager, like Zend Framework's ACL component, would be by breaking up the Client permission into 'own group client', 'own reseller client' and 'client' the problem with this though is in your code where you check for a permission you would have to have the deciding logic that determines which of the 3 permissions to check for, not very scalable especially if you later add another type of client permission.

In the end I solved the problem by ripping off - ahem - porting part of Java's security package to PHP, I mainly copied the AccessController and the Permission objects. I added a 'context' property to the Permission object, which in the case of our client permission would be set with the Client object the action was being performed on, and also added a 'Restrictor' interface. The key is this Restrictor, in the role configuration file we set it up so you could grant a permission with zero or more restrictor objects, when a permission check was performed the AccessController would go through the list of granted permissions and ask each if it implied the permission in question. In turn each granted permission would ask any associated restrictors if they 'restricted' the permission, by inspecting the permissions context the restrictor could decide wether or not to deny access.

The project in question was actually abandoned half way through and the security manager was never used, so if I get around to it I'll ask my old company if I can post the code up here. What are peoples thoughts on this, I'm guessing it's not just me who has come across the problem of security managers not being able to handle this kind of thing?

Update: I have uploaded the security manager source code, PHP docs and the first draft of a HTML manual it can all be found here