Tags

Archives

Recent posts

Recent comments

In Benchmarking requestAction
David wrote: Why you are not counting database connection impact? Is it really so unimportant?
In Nate Abele - PHP is dying
Victor wrote: When you say the following: "[PHP] is just too simple. It requires only a few lines to generate...
In Felix Geisendörfer - Git and CakePHP
Josh wrote: I'd really like to figure out a way to clone the official git repo and merge it with my own in a...
In Martin Radosta - Record level security based on SQL
markstory wrote: Well the article was about a talk that Martin Radosta gave. I have not written this behavior. ...
In Martin Radosta - Record level security based on SQL
skitle wrote: Was curious if the files for this are available? I have searched through the SF site, and have...

Categories

RSS Feed for comments

Martin Radosta - Record level security based on SQL

Written on Thu, Dec 4th 2008, 13:26 in ,

Martin's presentation was based around a behavior that he wrote to provide access control using SQL. In designing a solution, martin came up with a few criteria. The solution must be generic, it only requires 4 fields on any table that will be using the behavior. It should perform quickly and not create a lot of extra queries. The solution he searched for also needed to provide a few features. It should provide permissions for read write and delete. Permissions are assigned by role, with users having many roles. This system is similar to ACL but different, in that it stores the permissions for each record.

Martin's behavior uses a permission system similar to the unix file system, with a owner, group, world access. This was implemented as series of bit masks. Unlike the unix filesystems, these permissions are summed and stored as one field. The 4 fields mentioned earlier are user_id, role_id, group_id, and permissions. These four fields allow the behavior to work, both the roles and groups also use binary values to reduce the number of columns. The binary values for roles and groups are compared to those in the role and group id for records . In addition the requested permission is combined with group and role values and checked against the permissions field. Since binary values are used, roles can be combined and will always be unique.

Permissions in a system like this permissions are done via a bitmask system. User values for group, and role are compared to record permissions. If the value of the bitmask meets the expectation, the record is returned.

In addition to a controller, an element, action in Appcontroller and a model are used. Martin gave a quick demo of an application using his behavior. The permissions checks are all done in the SQL of the behavior. Another interesting part of the behavior is that in the behavior's afterFind() extra values are added to indicate whether or not a user can write or delete. This allows for your interface to display the correct icons. Which is a nice added bonus.

I personally was really impressed with how his system was designed and how it worked. He demonstrated how his fine grained access control group. He even had a root user that was not bound by the permissions system. The permissionYou can find this project at Sourceforge the project is licensed under the MIT license.

Back to Mark's articles

Trackback | Digg This | Stumble It

Comments:

Add comment
  • -
    Isn't the idea taken from here http://www.xaprb.com/blog/2006/08/16/how-to-build-role-based-access-control-in-sql/ Also found a link with an implemented behavior for cake (http://blog.joebeeson.com/?p=19). I already used this design for a couple of non cake projects, now its time to try it on cake. By the way, i couldn't download the code from Sourceforge, can you check it please.

    Reply | Amin | posted on 12/12/08

  • Files
    Was curious if the files for this are available? I have searched through the SF site, and have come up empty. I know there is a similar behavior on http://blog.joebeeson.com/?p=19, but was curious to look over yours as well. The setup is perfect for many of my projects. Thank you.

    Reply | skitle | posted on 11/3/09

    • Files
      Well the article was about a talk that Martin Radosta gave. I have not written this behavior. You should be able to find Martin's code at sourceforge.

      Reply | markstory | posted on 13/4/09

openID

What is OpenID?

OpenID is a new open standard that lets you sign in to web sites with a single URL that you own. This URL can be your homepage or blog, or it can be provided to you by a web site you use. In either case, you only have to sign in once to your OpenID provider and so you only need to maintain a single password.Learn more.

How is CakeDC using OpenID?

You can use your OpenID identity when posting comments on the site. When you see a form field with OpenID logo entering your OpenID identity is sufficient to allow your post. We also accept Google or Yahoo! identities. Simply use either "google.com" or "yahoo.com" and our OpenID library will locate your information from the appropriate source.