librelist archives

« back to archive

Session support and permission ideas/questions

Session support and permission ideas/questions

From:
Loic d'Anterroches
Date:
2011-03-11 @ 10:15
Hello,

just to let you know that I have nearly finished the session support
with multiple backends. It even supports:

- correct setting of the Vary header when a view need to access session
  data to "Vary on Cookie".
- smart not to generate a session if you have a session enabled and do
  not use it. Your fully anonymous visitors will not trigger session
  write if not needed.

I still have the unit tests to finish to keep the 100% code coverage,
but once done, I will add the doc and release a 0.1. This will be the
first beta status release. Why beta now? Because if you have session,
you can have authentication etc. we also have the form handling. This
means that the core elements are there. The first 1.0 release will be
done with a good authentication system.

For the permissions, I am not sure. I looked at the Symfony2 way of
doing things and I am afraid, it is not that flexible (very CMS
oriented) and really heavy. From my experience, the Pluf way, used with
Indefero is very flexible as you can put users into groups and attach
permissions to groups or directly to a given user. You can also have per
object permission (negative and positive).

We can all live with the Linux permission system - users, groups and a
limited number of permissions (read, write, execute). So, I think that
this approach is the best.

I will write the documentation of the permission system as a basis to
discuss together. This will be easier.

loïc

--
Indefero - Project management and code hosting - http://www.indefero.net
Photon - High Performance PHP Framework - http://photon-project.com
Céondo Ltd - Web + Science = Fun - http://www.ceondo.com

Re: [photon.users] Session support and permission ideas/questions

From:
Mickaël Desfrênes
Date:
2011-03-11 @ 10:27
Hi,

Nice to see the session support. What backends are supported ? Do we still
have the opportunity to change the backend like it's done in a "normal" PHP
app ? I like to use encrypted cookie-based backend as it distributes the
data across browsers (see
https://github.com/desfrenes/Azuki/blob/master/Azuki.php#L1210 ).

As for permissions, ZF has a very flexible backend-agnostic ACL system. I
like the idea of users/roles/resources, but the API could be easier to use.

2011/3/11 Loic d'Anterroches <loic@ceondo.com>

> Hello,
>
> just to let you know that I have nearly finished the session support
> with multiple backends. It even supports:
>
> - correct setting of the Vary header when a view need to access session
>  data to "Vary on Cookie".
> - smart not to generate a session if you have a session enabled and do
>  not use it. Your fully anonymous visitors will not trigger session
>  write if not needed.
>
> I still have the unit tests to finish to keep the 100% code coverage,
> but once done, I will add the doc and release a 0.1. This will be the
> first beta status release. Why beta now? Because if you have session,
> you can have authentication etc. we also have the form handling. This
> means that the core elements are there. The first 1.0 release will be
> done with a good authentication system.
>
> For the permissions, I am not sure. I looked at the Symfony2 way of
> doing things and I am afraid, it is not that flexible (very CMS
> oriented) and really heavy. From my experience, the Pluf way, used with
> Indefero is very flexible as you can put users into groups and attach
> permissions to groups or directly to a given user. You can also have per
> object permission (negative and positive).
>
> We can all live with the Linux permission system - users, groups and a
> limited number of permissions (read, write, execute). So, I think that
> this approach is the best.
>
> I will write the documentation of the permission system as a basis to
> discuss together. This will be easier.
>
> loïc
>
> --
> Indefero - Project management and code hosting - http://www.indefero.net
> Photon - High Performance PHP Framework - http://photon-project.com
> Céondo Ltd - Web + Science = Fun - http://www.ceondo.com
>
>


--

Re: [photon.users] Session support and permission ideas/questions

From:
Loic d'Anterroches
Date:
2011-03-11 @ 10:43
Hello,

> Nice to see the session support. What backends are supported ? Do we
> still have the opportunity to change the backend like it's done in a
> "normal" PHP app ? I like to use encrypted cookie-based backend as it
> distributes the data across browsers (see
> https://github.com/desfrenes/Azuki/blob/master/Azuki.php#L1210 ).

I have an example cookie backend without encryption (but with signature
on the values). I will add encryption, this is a good idea (note that I
am surprised that one needs to call 6 mcrypt_* functions to crypt some
data).

Yes, you can swap and use the backend you want.

> As for permissions, ZF has a very flexible backend-agnostic ACL system.
> I like the idea of users/roles/resources, but the API could be easier to
> use.

Do you have a pointer to a tutorial or the api? Last week I was not able
to find something on their website (I do not know the framework, it
makes it difficult for me to find what I am looking for).

loïc

> 2011/3/11 Loic d'Anterroches <loic@ceondo.com <mailto:loic@ceondo.com>>
> 
>     Hello,
> 
>     just to let you know that I have nearly finished the session support
>     with multiple backends. It even supports:
> 
>     - correct setting of the Vary header when a view need to access session
>      data to "Vary on Cookie".
>     - smart not to generate a session if you have a session enabled and do
>      not use it. Your fully anonymous visitors will not trigger session
>      write if not needed.
> 
>     I still have the unit tests to finish to keep the 100% code coverage,
>     but once done, I will add the doc and release a 0.1. This will be the
>     first beta status release. Why beta now? Because if you have session,
>     you can have authentication etc. we also have the form handling. This
>     means that the core elements are there. The first 1.0 release will be
>     done with a good authentication system.
> 
>     For the permissions, I am not sure. I looked at the Symfony2 way of
>     doing things and I am afraid, it is not that flexible (very CMS
>     oriented) and really heavy. From my experience, the Pluf way, used with
>     Indefero is very flexible as you can put users into groups and attach
>     permissions to groups or directly to a given user. You can also have per
>     object permission (negative and positive).
> 
>     We can all live with the Linux permission system - users, groups and a
>     limited number of permissions (read, write, execute). So, I think that
>     this approach is the best.
> 
>     I will write the documentation of the permission system as a basis to
>     discuss together. This will be easier.
> 
>     loïc
> 
>     --
>     Indefero - Project management and code hosting - http://www.indefero.net
>     Photon - High Performance PHP Framework - http://photon-project.com
>     Céondo Ltd - Web + Science = Fun - http://www.ceondo.com
> 
> 
> 
> 
> -- 
> 
> 

-- 
Dr Loïc d'Anterroches
Founder Céondo Ltd

w: www.ceondo.com       |  e: loic@ceondo.com
t: +44 (0)207 183 0016  |  f: +44 (0)207 183 0124

Céondo Ltd
Dalton House
60 Windsor Avenue
London
SW19 2RR / United Kingdom

Re: [photon.users] Session support and permission ideas/questions

From:
Mickaël Desfrênes
Date:
2011-03-11 @ 10:48
My calls on mcrypt_* may be suboptimal, I'm in no ways an expert at php
encryption. I'll be glad to see a simpler way.

Zend_ACL:
http://framework.zend.com/manual/1.11/en/zend.acl.introduction.html

2011/3/11 Loic d'Anterroches <loic@ceondo.com>

> Hello,
> I have an example cookie backend without encryption (but with signature
> on the values). I will add encryption, this is a good idea (note that I
> am surprised that one needs to call 6 mcrypt_* functions to crypt some
> data).
>
> Yes, you can swap and use the backend you want.
>
> Do you have a pointer to a tutorial or the api? Last week I was not able
> to find something on their website (I do not know the framework, it
> makes it difficult for me to find what I am looking for).
>
> loïc
>
>

--

Re: [photon.users] Session support and permission ideas/questions

From:
Loic d'Anterroches
Date:
2011-03-11 @ 10:56

On 2011-03-11 11:48, Mickaël Desfrênes wrote:
> My calls on mcrypt_* may be suboptimal, I'm in no ways an expert at php
> encryption. I'll be glad to see a simpler way.

Looking at the examples:
http://www.php.net/manual/en/function.mcrypt-module-open.php
we effectively cannot do really simpler. I will just create 2 small
wrappers in \photon\crypto.

> Zend_ACL:
> http://framework.zend.com/manual/1.11/en/zend.acl.introduction.html

Great! You have the inheritance concept where I have groups, but more or
less this is the same approach. Good read!

loïc

> 2011/3/11 Loic d'Anterroches <loic@ceondo.com <mailto:loic@ceondo.com>>
> 
>     Hello,
>     I have an example cookie backend without encryption (but with signature
>     on the values). I will add encryption, this is a good idea (note that I
>     am surprised that one needs to call 6 mcrypt_* functions to crypt some
>     data).
> 
>     Yes, you can swap and use the backend you want.
> 
>     Do you have a pointer to a tutorial or the api? Last week I was not able
>     to find something on their website (I do not know the framework, it
>     makes it difficult for me to find what I am looking for).
> 
>     loïc
> 
> 
> 

Re: [photon.users] Session support and permission ideas/questions

From:
Mickaël Desfrênes
Date:
2011-03-11 @ 13:41
Here's also another acl system I built for a cms project:
https://github.com/desfrenes/Daizu/tree/master/applications/acl/models
it's not as flexible as Zend_ACL (also it has only a database backend) but I
kinda like the API, it feels a lot more natural to me than Zend's:

The API goes like this, setting new user, role and resources:

            $password = substr(uniqid(), -5);
            echo "Create new admin user...\n";
            $admin = new User;
            $admin_role = Role::fetch('admin');
            $admin_role->giveResource('cms.create');
            $admin_role->giveResource('cms.read');
            $admin_role->giveResource('cms.update');
            $admin_role->giveResource('cms.delete');
            $admin_role->giveResource('cms.publish');
            $admin_role->giveResource('cms.manage_resources');
            $admin_role->giveResource('cms.manage_users');
            $admin_role->save();

            $admin->setLogin('admin');
            $admin->setPassword(sha1($password));
            $admin->giveRole('admin');
            $admin->save();

And then testing if user has access to resource:

           $admin->hasResource('cms.read');



2011/3/11 Loic d'Anterroches <loic@ceondo.com>

>
>
> On 2011-03-11 11:48, Mickaël Desfrênes wrote:
> > My calls on mcrypt_* may be suboptimal, I'm in no ways an expert at php
> > encryption. I'll be glad to see a simpler way.
>
> Looking at the examples:
> http://www.php.net/manual/en/function.mcrypt-module-open.php
> we effectively cannot do really simpler. I will just create 2 small
> wrappers in \photon\crypto.
>
> > Zend_ACL:
> > http://framework.zend.com/manual/1.11/en/zend.acl.introduction.html
>
> Great! You have the inheritance concept where I have groups, but more or
> less this is the same approach. Good read!
>
> loïc
> --
>

Re: [photon.users] Session support and permission ideas/questions

From:
Loic d'Anterroches
Date:
2011-03-11 @ 15:10
Hello,

On 2011-03-11 14:41, Mickaël Desfrênes wrote:
> Here's also another acl system I built for a cms project:
> https://github.com/desfrenes/Daizu/tree/master/applications/acl/models
> it's not as flexible as Zend_ACL (also it has only a database backend)
> but I kinda like the API, it feels a lot more natural to me than Zend's:
> 
> The API goes like this, setting new user, role and resources:
> 
>             $password = substr(uniqid(), -5);
>             echo "Create new admin user...\n";
>             $admin = new User;
>             $admin_role = Role::fetch('admin');
>             $admin_role->giveResource('cms.create');
>             $admin_role->giveResource('cms.read');
>             $admin_role->giveResource('cms.update');
>             $admin_role->giveResource('cms.delete');
>             $admin_role->giveResource('cms.publish');
>             $admin_role->giveResource('cms.manage_resources');
>             $admin_role->giveResource('cms.manage_users');
>             $admin_role->save();
> 
>             $admin->setLogin('admin');
>             $admin->setPassword(sha1($password));
>             $admin->giveRole('admin');
>             $admin->save();
> 
> And then testing if user has access to resource:
> 
>            $admin->hasResource('cms.read');

Ok, you give resources where in Pluf I give "permissions", but with the
same "app.action" structure. Pretty nice.

By the way, just implemented the encryption of the cookies when used as
session storage. It works very well. Here is my "Crypt" class to do the
work:

class Crypt
{
    public static function encrypt($data, $key, $cipher='twofish',
$mode='ecb', $iv=null)
    {
        $td = mcrypt_module_open($cipher, '', $mode, '');
        $iv = (null === $iv)
            ? mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND)
            : $iv;
        $key = substr($key, 0, mcrypt_enc_get_key_size($td));
        mcrypt_generic_init($td, $key, $iv);
        $crypted = mcrypt_generic($td, $data);
        mcrypt_generic_deinit($td);
        mcrypt_module_close($td);

        return $crypted;
    }

    public static function decrypt($data, $key, $cipher='twofish',
$mode='ecb', $iv=null)
    {
        $td = mcrypt_module_open($cipher, '', $mode, '');
        $iv = (null === $iv)
            ? mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND)
            : $iv;
        $key = substr($key, 0, mcrypt_enc_get_key_size($td));
        mcrypt_generic_init($td, $key, $iv);
        $decrypted = rtrim(mdecrypt_generic($td, $data), "\0");
        mcrypt_generic_deinit($td);
        mcrypt_module_close($td);

        return $decrypted;
    }
}

The ecb mode does not need an initialization vector (IV) and it is said
that mcrypt_generic_init will ignore it, but still it requires one of
the size of the key even if not used, this is why the creation of on iv
even if not needed...

Still a bit of work for the unit tests, but now I have 2 fully
functional backends: cookies and file. I will put the cookie backend as
default one in the configuration.

loïc


> 2011/3/11 Loic d'Anterroches <loic@ceondo.com <mailto:loic@ceondo.com>>
> 
> 
> 
>     On 2011-03-11 11:48, Mickaël Desfrênes wrote:
>     > My calls on mcrypt_* may be suboptimal, I'm in no ways an expert
>     at php
>     > encryption. I'll be glad to see a simpler way.
> 
>     Looking at the examples:
>     http://www.php.net/manual/en/function.mcrypt-module-open.php
>     we effectively cannot do really simpler. I will just create 2 small
>     wrappers in \photon\crypto.
> 
>     > Zend_ACL:
>     > http://framework.zend.com/manual/1.11/en/zend.acl.introduction.html
> 
>     Great! You have the inheritance concept where I have groups, but more or
>     less this is the same approach. Good read!
> 
>     loïc
>     -- 
> 
> 
> 

Re: [photon.users] Session support and permission ideas/questions

From:
Mickaël Desfrênes
Date:
2011-03-11 @ 10:42
Oops... I just read from the manual:

"Cookie Storage

All the data are stored in signed cookies. The system is smart enough to
limit the data transfer and avoid sending too many cookies.
"

Very nice indeed.

2011/3/11 Mickaël Desfrênes <desfrenes@gmail.com>

> Hi,
>
> Nice to see the session support. What backends are supported ? Do we still
> have the opportunity to change the backend like it's done in a "normal" PHP
> app ? I like to use encrypted cookie-based backend as it distributes the
> data across browsers (see
> https://github.com/desfrenes/Azuki/blob/master/Azuki.php#L1210 ).
>
> As for permissions, ZF has a very flexible backend-agnostic ACL system. I
> like the idea of users/roles/resources, but the API could be easier to use.
>
> 2011/3/11 Loic d'Anterroches <loic@ceondo.com>
>
> Hello,
>>
>> just to let you know that I have nearly finished the session support
>> with multiple backends. It even supports:
>>
>> - correct setting of the Vary header when a view need to access session
>>  data to "Vary on Cookie".
>> - smart not to generate a session if you have a session enabled and do
>>  not use it. Your fully anonymous visitors will not trigger session
>>  write if not needed.
>>
>> I still have the unit tests to finish to keep the 100% code coverage,
>> but once done, I will add the doc and release a 0.1. This will be the
>> first beta status release. Why beta now? Because if you have session,
>> you can have authentication etc. we also have the form handling. This
>> means that the core elements are there. The first 1.0 release will be
>> done with a good authentication system.
>>
>> For the permissions, I am not sure. I looked at the Symfony2 way of
>> doing things and I am afraid, it is not that flexible (very CMS
>> oriented) and really heavy. From my experience, the Pluf way, used with
>> Indefero is very flexible as you can put users into groups and attach
>> permissions to groups or directly to a given user. You can also have per
>> object permission (negative and positive).
>>
>> We can all live with the Linux permission system - users, groups and a
>> limited number of permissions (read, write, execute). So, I think that
>> this approach is the best.
>>
>> I will write the documentation of the permission system as a basis to
>> discuss together. This will be easier.
>>
>> loïc
>>
>> --
>> Indefero - Project management and code hosting - http://www.indefero.net
>> Photon - High Performance PHP Framework - http://photon-project.com
>> Céondo Ltd - Web + Science = Fun - http://www.ceondo.com
>>
>>
>
>
> --
>
>
>


--