Skip to content

RBAC

Jump to bottom
Rosario Carvello edited this page Nov 10, 2018 · 35 revisions

WebMVC uses the user role-based security model, known as RBAC, "Role Based Access Control".
RBAC establishes that:

a) Each system user must be authenticated, identified and assigned to an application role (i.e. admin, user, power user and so on).
b) Afterward, a user, after logging in, can access only to web pages that were designed to be having a restricted access only to its own role.
c) Roles can aslo restrict database record operations, like select, insert, update or delete.

WebMVC, let you implementing a),b) and, c) by providing you services for:

  1. Defining and establishing the database tables in which to store: users, credentials, roles, and assignment of a role to users
  2. Implementing a login mechanism for authenticating and identifying users.
  3. Implementing a mechanism to establish that the access for execution of a given controller is allowed only to an authenticated user and/or who has the appropriate role.
  4. Limiting database record operations depending on user role

How to define and establish database tables in which to store: users, credentials, roles and assignment of a role to users.

You can use the rbac.sql script to automatically create these tables. The generated tables will also contain sample data for users and roles. These tables are designed to be automatically used by the framework. Specifically, the framework/User.php class will use the data in these tables to implement the following methods that you can use during the development of your MVC classes:

First of all "getter" methods:

<?php

    /**
     * Gets user id
     * @return mixed
     */
    public function getId()

    /**
     * Gets user email
     * @return mixed
     */
    public function getEmail()

    /**
     * Gets user password
     * @return mixed
     */
    public function getPassword()

    /**
     * Gets user role
     * @return mixed
     */
    public function getRole()

Here are some useful methods to manage user login and logout:

<?php

    /**
     * Login user
     *
     * @param string $mail User email
     * @param string $password User password
     * @return bool True if login ok, else false
     */
    public function login($email, $password)

    /**
     * Logout user
     *
     * @return bool always true
     */
    public function logout()


    /**
     * Checks if user is logged
     *
     * @return bool True or False
     */
    public function isLogged()
 

    /**
     * Checks if user is logged in. If none it redirects.
     *
     * @param string $redirect The Controller url path to redirecting if user is not logged in.
     *                         If null it redirects to the default login page.
     * @param null|string $returnLink The return link after loggin in with the the dafault
     *                    login page
     * @param null|string $LoginWarningMessage  A custom warning message to show
     *
     */
    public function checkForLogin($redirect = null, $returnLink= null, $LoginWarningMessage=null)

    /**
     * Auto login by using Cookies
     * Note:
     * It uses ChiperService class to decrypt Cookie
     *
     * @uses ChiperService
     *
     */
    public function autoLoginFromCookies()

If you want to use your own tables to store and manage users and roles you need to instruct WebMVC on how to go to retrieve information. In this case, it will be necessary to modify the file config/security.config.php

<?php

/**
 * security.config.php
 *
 * Main application security configuration parameters.
 * You can change those values according to your security
 * MySQL environment or Chiper preferences
 */

/**
 * Defines the constants for MySQL database User table.
 * Class User uses these information.
 */

/**
 *  Constant for the User MySQL Table
 */
define("USER_TABLE","user");

/**
 *  Defines a constant for INT Primary Key field of the User MySQL Table
 */
define("USER_ID","id_user");

/**
 *  Defines a constant for the UNIQUE email field of the User MySQL Table
 *  Email is used as credential
 */
define("USER_EMAIL","email");

/**
 *  Defines a constant for the password field of the User MySQL Table
 *  Password is used as credential
 */
define("USER_PASSWORD","password");

/**
 *  Defines a constant for the role field of the User MySQL Table
 *  User role defines access levels criteria managed by RBAC Engine
 */
define('USER_ROLE', 'id_access_level');

/**
 *  Defines a constant for Administrator role id
 *
 */
define('ADMIN_ROLE_ID', 100);

/**
 *  Defines a constant for the enable field of the User MySQL Table
 *  User enable field can temporarily disable users. 
 *  Leave blank the value for USER_ENABLED if you don't want to manage the enabling/disabling of users.
 *  Note: User enable database field value must be 1 or -1
 */
define('USER_ENABLED', 'enabled');

WebMVC - PHP Web MVC Framework

Overview

  1. Home
  2. Setup
    1. Apache mod rewrite
    2. Options
  3. Understanding WebMVC

Basic concepts

  1. Controller
    1. Handling of HTTP Request Methods
    2. Controller and OOP
    3. Controller autorun method
  2. View
    1. Dynamic content
    2. Handling placeholders
    3. Handling blocks
    4. Hiding and replacing content
    5. Nesting of blocks
    6. Insight on nesting of blocks
  3. Model
    1. Interacting with MySQL
    2. MySQL ORM
    3. Example of a DB Application

Advanced concepts

  1. System decomposition
    1. Subsystems
    2. Content Based decomposition and HMVC
    3. Decomposition by localization
    4. Skills and technologies decomposition
    5. Component Based Development
    6. Role-based decomposition
  2. Content observing

Securing WebMVC

  1. Security
    1. Authentication
    2. RBAC
    3. ACL
    4. CSRF and XSS
    5. Encryption
    6. Securing your application files

Components

  1. Using components
    1. DataRepeater
    2. Sorter
    3. Paginator
    4. Searcher
    5. Record
    6. TreeList

Helpers

  1. Helpers
    1. Email
    2. File uploader
    3. Session
    4. Cookies

Programming techniques

  1. Logic Hook
    1. Creating your own Hooks
  2. Error Handling

Services development

  1. Services and API development
    1. JSON
    2. REST API

WebMVC Tools

  1. Tools
    1. MVC instance skeleton builder
    2. MySQL ORM builder
    3. Running Tests

Best Practices

  1. WebMVC Best Practices
    1. Naming convention summary
    2. Web development
    3. API development
    4. Mobile development

Clone this wiki locally