Groovel blog : The platform for web artisans


Welcome

How to secure access and share privileges to other users and make it collaborative platform?

by groovel

Posted on 2016-11-20 09:48:34


How to secure access and share privileges to other users and make it collaborative platform?

Lot of systems multiply complexity authorizations, multiply profiles access to specific rights, inheritance,
configuration , rules hard coded , and it's become after difficult to maintain when time past.
How and which strategy do i choose in groovel?
I wanted something that is not intrusive in the code and quickly configured via a web interface,easy to find when a right access missing.

The idea to use profile is quite good,i don't want to rebuild the wheel, so i just decided to add rights access depending on the URL you try to access.
In each url ,i know what actions should be processing : CREATE READ UPDATE DELETE,
So i make the mapping between a profile of users that contains URL and actions which he can execute: is it CREATE,READ,UPDATE,DELETE?
After i make the matching with the privilege access that you have to do for the actions.

Here, you see how groovel configure a profile  for users:

In each url resources , there is an action which is mapped.

When you call an uri you see in log files (example) :

PARAMS ACCESSURL  
[2016-11-18 06:39:54] local.DEBUG: array (
  'uri' => '/', //the url you try to go
  'method' => '',
  'controller' => '',
  'view' => 'cmsgroovel.pages.firstinstall.welcome', // you try to access to this page
  'action' => 'op_none', //no specific actions you have to have
  'type' => 'blog',
)  
At this moment groovel loads your profile and check if it matches with uri, action

When you miss a privilege , it is easy to go and see in the logs file:
find this line  : middleware UserRules NOT AUTHORIZED : END METHOD handle()
it indicates after the url and the action that you don't have

Add it after!

The strong design in groovel is that the authentification and the check rules access is mutualized and centralized.

You can duplicate the profiles and add to specific users.

ADMIN profile : you are the master of all systems

PUBLIC profile : you can just access to your messages, very basics thing.

CLIENT profile : you can interact by publishing contents! as a blog ccontributor.


What do you think?

Thanks for the reading !


Leave a Comment: