What about the idea of transparently integrating an access control list into the model via a plugin. Having domain model instance based security is a requirement for some of the projects I work on. The basic idea is to have a GrantedAuthority resource something like:
-
-
class GrantedAuthority
-
include DataMapper:Resource
-
property :id, Fixnum, :serial => true
-
property :user_id, Fixnum
-
property :resource_id, Fixnum
-
property :resource_type, String
-
property :token, String
-
end
-
Then you would modify/shadow some of the class & instance methods on the resource that you are protecting, including:
- Resource class methods
- Resource#first / Resource#secure_first / Resource#first! / etc
- Resource#all
- Resource#get
- Resource#[]
- Resource#create
- Resource instance methods
- resource#save
- resource#destroy
This would allow something along the lines of
-
-
@contacts = Contact.all!(user,‘READ’, :first_name.like => ‘J%’, … )
-
-
# perhaps the READ token is defined on the Resource
-
# and you don’t need to specify it here
-
@contacts = Contact.all!(user, :first_name.like => ‘J%’, … )
-
The model should “know” how to create the necessary joins to apply the ACL
-
-
– #all SQL
-
SELECT * FROM contacts
-
-
– becomes
-
SELECT * FROM contacts WHERE (id IN
-
(SELECT resource_id
-
FROM granted_authorities
-
WHERE user_id = ? AND token = ? AND resource_type = ?
-
)
-
)
-
This has been fairly simple so far. Lets allow for a more complex case of the resource being queried not being the resource that has the entry in the granted_authorities table. For example, an OrganisationalUnit that contains a number of Contact(s) and the right to ‘READ_CONTACT’ is granted on the OrganisationalUnit. We would need to produce something like this:
-
-
SELECT contacts.*, organisational_units.id FROM contacts
-
LEFT OUTER JOIN organisational_units ON organisational_units.id = contacts.id
-
WHERE (organisational_units.id IN
-
(SELECT resource_id
-
FROM granted_authorities
-
WHERE user_id = ? AND token = ? AND resource_type = ?
-
)
-
)
-
What does dm-core need to provided for us to build the plugin? We need to support joins to join in the container objects. Dan Kubb is working on that and should have it pretty soon. We must be able to do sub-selects. This feature was push to after the 1.0 release. Fortunately, it was not so hard to implement. I just pushed the required changes to github. You can now do something like:
-
-
acl = DataMapper::Query.new(Permission, :user_id => 1, :resource_type => ‘SailBoat’, :token => ‘READ’, :fields => [:resource_id])
-
query = DataMapper::Query.new(SailBoat, :port => ‘Cape Town’,:id => acl,:captain.like => ‘J%’)
-
boats = @adapter.read_set(repository(:sqlite3),query)
-
Once I wrap this concept up into a plugin you would do something like:
-
-
user = get_current_user
-
contacts = Contact.all!(user,‘READ’,:first_name => ‘john’,:city.like => ‘Jo%’)
-
-
# or if the token was specified on the Resource
-
contacts = Contact.all!(user,:first_name => ‘john’,:city.like => ‘Jo%’)
-
I will write about how you would configure ACL’s on you model/resource in a part II.
– until next time –
April 2nd, 2008 at 12:10 pm
[…] time I wrote about the internals of a proposed ACL plugin. Today I want to focus on the model. How would you […]