SLIM Framework - How to make an Access Control Lis

2020-07-29 02:32发布

An Access Control List, or ACL, defines the set of rules that determines which group of users have access to which routes within your Slim application.

Any idea how to use Access Control List with SLIM ?

I try to create Access Control List for my REST API Authorization.

Example :

  • Role member only can access GET,UPDATE from resource (/member)

  • Admin member only can access GET,UPDATE,POST,DELETE from resource (/admin)

Any idea how to do it with SLIM ?

2条回答
爱情/是我丢掉的垃圾
2楼-- · 2020-07-29 02:57

Still learning but... In my Slim routes, you can call a method on a controller. In that controller, name a permission for that specific method. Then just use in_array() to find that value in the user's access array you can save in the $_SESSION when the user logs in.

$this->get('/admin/users', 'AdminController:getUsers')->setName('admin.users');

AuthController class > getUsers method >

$permission = "view_users";

if(in_array($permission, $_SESSION['user']['access']) === false) {
  // show flash message, redirect- whatever
}

Most people use Zend Acl now though but I didn't go that route in an effort to learn.

查看更多
家丑人穷心不美
3楼-- · 2020-07-29 02:59

I'm searching the best way to implement resource ACL using SLIM also. I think that route access control isn't good thing. In REST API resources are identified by a dynamic URL, eg "/member/:id".

I think that permissions control on a route does not provide any security check on single resource; if user have full access to [/member/1] could always perform a DELETE on [/member/2], because the main route is always "/member".

To identify a single resource it's necessary know the dynamic ID and after you can check if user have permissions on this specific resource.

Apply GET, POST, DELETE check on generic route [/member] I think that does not provide correct control.

查看更多
登录 后发表回答