We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

Row/Object Level Security

Hello!

I'm writing an ERP application now and I'm trying to figure out how to implement Row Level Security. In my application access list is based on users and roles. I know I can block single users from doing actions in controllers, but how can I block them from getting all records (they'll get only records they can see) or related records (same here)?

I hope you can help me. Best regards!

For this I recommend to create some groups permissions. Each group can contain one or more roles.

On your records add a new column for group_id. When you need to get your records, check first on which group your user belogs to, and query after group_id too.

edited Dec '15

Just put in the condition when you select records proper condition you want. I dont think so it has anything to do with ACL. Its more about proper query imho.

Also i did a pull request to phalcon with adding function as 4th parameter in allow/deny method and option to check isAllowed method on objects. In this way we can add some custom logic for acl for example checking edit/remove object. There is pull request if you want comment it and add some idea:

https://github.com/phalcon/cphalcon/pull/11237

And there is repo with this thing implemented:

https://github.com/Jurigag/cphalcon/tree/2.0.x

Thanks for your answers!

Sorry, I probably didn't state it clearly, but I'm trying to implement single user permissions for single records. I have groups, but I need an option to exclude single user from, for example, editing single record. This permissions are higher in hierarchy than ACL based on roles, so if I disable user from editing a record with id=3, user still can edit other records. I know how to do it, but I don't know how to simply and efficiently block user from fetching records in which he is disabled from viewing it. I'm trying to do it without PHQL, but I didn't find a way to do it. Thanks for your help.



145.0k
Accepted
answer
edited Dec '15

First:

Why cant user edit this record ? I guess beacause its not added by him/ not added by his shop(for example) or whatever other reason. He cant just edit it beacause not. Then you need some information about this record, how you gonna get it if you dont wanna do query ?

You can use my branch of phalcon, after compile phalcon its adding two new interfaces: Roleable and Resourceable. Then your model must implement Resourceable, and your user class(model) Roleable. Then you can do something like this:

$acl->allow('SomeRole','SomeResource','update',function(UserClass $user, ModelClass $model){
    return $user->getId() == $model->getUser();
});

If getUser() ofc will return id of user.

And then somewhere in code you can do this:

$acl->isAllowed($user,$model,'update');

Second:

If you just want to hardcoded it that some role just cant edit id=3 noe matter what is this then you have something wrong. There must be some reason.

Thanks for your reply!

Well, I don't want to hardcode it, it was just an example. I don't want to build a query, because I wan't to keep things simple, but as far as I can see, I'll be unable to implement that kind of ACL without queries. Your implementation is very useful for me, I'll try it. Thanks for your replies!

edited Dec '15
  1. maybe Jurigag's solution will work for now, but if his changes doesn't get included in the official phalcon release, you won't be able to update to new phalcon releases to take advantage of new features and fixes.

  2. since the ACL data rarely changes in production, use models and cache the result
edited Dec '15

Well you should wait for 2.1.x phalcon. I hope it will be included when they release it. Cuz currently PR is for 2.1.x cuz i added some more functionallity. But i guess you can still use 2.0.x PR which i did. Just check my repo for 2.0.x branch. It should as i provided after compiling phalcon.