craftcamp / php-abac Goto Github PK

Please take a look at PolicyRuleManager::getRule() method.
I suppose it will be very usefull in some cases to make 2 steps authorization. Especially when using frameworks:

1. We need to check if user can acces this action at all. If not, we just stop the code and dont try to get the object:

$abac->enforce('blabla', $user);

2. Only after that we want to perform query to database to find an object and check acces to the object:

$abac->enforce('blabla', $user, $object);

This can be very usefull when db query (or 3rd party service query) is heavy and takes much time.

But in current implementation it is not possible with a single rule. The library will always try to check $object even if it wasnt passed to enforce() method.

So, I suggest to add a check to the PolicyRuleManager::getRule() method like this:

            foreach ($this->processRuleAttributes($rule['attributes'], $user, $resource) as $pra) {
                if(!$resource && $pra->getAttribute()->getType() == 'resource') {
                    continue;
                }
                $Policy->addPolicyRuleAttribute($pra);
            }

Maybe there can be more pretty way to do this. So what do you think? Another option is to add a method to Abac class

$abac->enforceUserOnly('blabla', $user);// or somth like this

Hi.
I think you should to use array_merge_recursive() in that place.
What if two files of policy rules will have rules with the same name ?
In that case recursive merging is solution.
What do you think?

The goal is to turn this configuration :

    troop_leadership:
        attributes:
            user.isActive:
                comparison_type: boolean
                comparison: boolAnd
                value: true
            user.troopAssociations:
                comparison_type: array
                comparison: contains
                with:
                    troopAssociation.troop.id:
                        comparison_type: numeric
                        comparison: isEqual
                        value: dynamic
                    troopAssociation.role.position:
                        comparison_type: numeric
                        comparison: isEqual
                        value: 1

if($this->get('kilix_abac.security')->enforce('troop_membership', $this->getUser(), $troop, [
    'dynamic_attributes' => ['troop-id' => $troop->getId()]
]) !== true) {
    throw new AccessDeniedHttpException('troops.access_denied');
}

to :

    troop_leadership:
        attributes:
            user.isActive:
                comparison_type: boolean
                comparison: boolAnd
                value: true
            user.troopAssociations:
                comparison_type: array
                comparison: contains
                with:
                    troopAssociation.troop.id:
                        comparison_type: object
                        comparison: isFieldEqual
                        value: id
                    troopAssociation.role.position:
                        comparison_type: numeric
                        comparison: isEqual
                        value: 1

if($this->get('kilix_abac.security')->enforce('troop_membership', $this->getUser(), $troop) !== true) {
    throw new AccessDeniedHttpException('troops.access_denied');
}

Configure PHPUnit to use SQLite to remove dependency to MySQL when testing

Abac object does not use PDO connection anymore

Kern046,
first of all, thank you for this package since it looks like the only one ABAC implementation for native PHP at all :)
But I found this library very NON-extendable :(
One simple example. It is not possible at all to plug in your own Loader (I want to develop and use e.g. SQL or MongoDB loader for policies). And also all Managers are instantiated by class name too in Abac constructor...
By using classname-dependant code you don't give a chance for developer to extend your library ((( The only way to use it in real project is to copy-paste and rewrite the code.

I got myself into a situation where I needed to write a custom comparison method, and was able to figure it out, but the library didn't have a ton of documentation to go off of.

I'd be happy to contribute an example of writing and using a custom comparison class if there's interest in enhancing the documentation in this area?

Thanks for the great library!