search

banks / aacl

Another ACL for Kohana 3. Please see README.md for a justification of this indulgence.
MIT License
27 stars 10 forks source link

How to handle anonymous user? #1

Closed ghost closed 14 years ago

ghost commented 14 years ago

AACL::check() dictates that all unauthenticated anonymous users will immediately hit the 401 exception. But for my application, I need to make some resources accessible to anonymous users. For example, a controller named Controller_Demo has two methods: action_index() and action_edit(), and I need the action_index() accessible to anonymous user while action_edit only accessible to admin. Then how do I implement this?

With the current AACL, I must get action_index() away from AACL::check(), so for my many controllers I must hardcode into php files the rules whether they should be AACL::check()'d or not. This is definitely in an unconfigurable manner which contradicts with your aims of AACL imo.

Then I start thinking whether I should create an "all" or "everyone" role, or a special role for anonymous. But it's still strange to assign role before any authentication is done. Maybe I can use Aacl_Rules with NULL role_id to represent rules of everyone or anonymous? So which way is better? Any opinion is appreciated.

banks commented 14 years ago

You are right - you will need to check in the specific actions if you need global access to some. To allow configurable control for non-logged in users, you would have to modify auth to provide a 'dummy' user or role. I choose not to implement something like this by default but it shouldn't be too hard.

What do you suggest? I very purposefully wanted to make rules allow only as it massively simplifies the system and makes it much easier to understand.

Maybe I can use Aacl_Rules with NULL role_id to represent rules of everyone or anonymous?

Sounds like a reasonable solution. You will probably need to change the checking code to check roles with NULL id for non-logged in users. Bear in mind also that you will have to also check your NULL rules for logged in users.

Sounds like a sensible addition. I haven't actually used this code - I simple thought it up one night and wrote it so such an amendment probably is necessary.

At some point I might re-write it to use Jelly since I no longer work with Sprig models...

ghost commented 14 years ago

Thank you for quick reply! I end up with adding a dummy role "" for everyone, and a few other tweaks, instead of the NULL way. The meaning of NULL seems confusing to me, while using role "" I just need to ensure it's only used by aacl, not by any real user.

I've just started using Jelly and have myself a clumsily converted jelly-aacl. I will be gladly looking forward to a Jelly rewrite by you!

ghost commented 14 years ago

I've reconsidered the NULL way. You are using NULL to represent all actions and all conditions, so why not all resources and all roles? Then we have a consistent method to compare rules.