SLIM Framework - How to make an Access Control Lis

2020-07-29 02:44发布

问题:

An Access Control List, or ACL, defines the set of rules that determines which group of users have access to which routes within your Slim application.

Any idea how to use Access Control List with SLIM ?

I try to create Access Control List for my REST API Authorization.

Example :

  • Role member only can access GET,UPDATE from resource (/member)

  • Admin member only can access GET,UPDATE,POST,DELETE from resource (/admin)

Any idea how to do it with SLIM ?

回答1:

Still learning but... In my Slim routes, you can call a method on a controller. In that controller, name a permission for that specific method. Then just use in_array() to find that value in the user's access array you can save in the $_SESSION when the user logs in.

$this->get('/admin/users', 'AdminController:getUsers')->setName('admin.users');

AuthController class > getUsers method >

$permission = "view_users";

if(in_array($permission, $_SESSION['user']['access']) === false) {
  // show flash message, redirect- whatever
}

Most people use Zend Acl now though but I didn't go that route in an effort to learn.



回答2:

I'm searching the best way to implement resource ACL using SLIM also. I think that route access control isn't good thing. In REST API resources are identified by a dynamic URL, eg "/member/:id".

I think that permissions control on a route does not provide any security check on single resource; if user have full access to [/member/1] could always perform a DELETE on [/member/2], because the main route is always "/member".

To identify a single resource it's necessary know the dynamic ID and after you can check if user have permissions on this specific resource.

Apply GET, POST, DELETE check on generic route [/member] I think that does not provide correct control.