Thread

The ACL plugin

The missing ACL plugin that should have come with CI!

The CodeIgniter Acl class implements a robust database-driven access control mechanism that includes users, groups, and roles.

A user can belong to many groups. Any number of roles can be assigned to entire groups, or individual users. The class includes simple but effective password validating/updating and convenient description fields for users, roles, and groups.

Other features include:
-> Simple user password auth (plaintext or md5 [default] - configurable)
-> Strict decoupling of database-specific logic, makes exclusive use of the CI database class
-> Methods to check for user role assignments (direct or inherited via group)
-> Optimized database structure - should easily handle thousands of users/roles/groups
-> Written to follow strict CI coding guidelines (docblocks, indentation, naming, etc)
-> Free as in Beer (GPL v2)

Installation is simple. Download the zip archive attached to this thread. You will copy all the .php files to your application/models directory. Next, import a database schema. The CI Acl class has been tested with MySQL, PostgreSQL, and SQLite. In the acl_scripts folder are .sql files to create the needed tables for each database type (depending on which one you use).

You may also grab the latest from SVN via:
http://svn.supergluetech.com/repositories/codeigniter/acl

Once all this is completed, you load it as with any typical CI model:

$this->load->model('acl');

Please refer to the manual.htm file for usage.

Please report any bugs to me via: dean [at] supergluetech.com

Attention

Who’s using the ACL plugin? If you are using the plugin, I would love to hear from you as well as any suggestions and/or improvements that you would like to see.

Also, if anyone is interested in pitching in (especially with documentation), gimme a shout. I would really like to get things polished up.

Wow!
Seems like great work!
I’ll check it out and come back with some feedback!

**UPDATE** 12/28/2009 10:18 PM:

I am putting an initial reference guide together (with full index of all functions, and detailed examples) in the form of plain HTML. Expect something in a couple days 😊

- Dean

*bookmrked* I’d been considering making something like this, looking forward to the possibility that it’s one more thing I won’t have to do to have an auth system that works for me 😊

Hi Dean,

great work - i like the ‘plugin’-character of this piece of software 😊

I will try to plug it in my app (authentication-library allready built in) and report here what i found.

Maby you can provide the docs in the meantime?!

Regards

Happy new years to start with…

Lots has happened since the last post.

First, I have beaten the lazy outta myself and got a subversion project set up for this.

Read only public access is available at http://svn.supergluetech.com/repositories/codeigniter/acl

Included on the server is a [incomplete] reference manual.htm file that documents EVERY function.

Also in the svn trunk are a handfull of bugfixes - anyone who has downloaded the acl class are advised to grab the latest versions.

I will keep everyone posted!

One last note.. I have a good handfull of changes that will be committed by noon today (1/5/10) - Please excuse any broken scripts in the meanwhile.

Among the changes are:

-> Ability to auto-hydrate instantiated group/user/role objects
-> Bugfixes to main class
-> Little more documentation
-> Small cleanup

Looks promising over my acl library. I’ll try this

Dean,
Great looking ACL plug-in.  Thanks for sharing.  I was in the process of writing some of this for a current project, but I came across this and figured it would fill the 90% that most people would need for ACL in a project.  It looks nice and clean.

Anyhow, I’ve come across a bug. The acl model has a bug in lines 812 and 954.

This:

$this->_table['user_groups']

Should be:

$this->_table['group_users']

Let us know if there’s a better way to contact you with bugs.

Thanks,
Brian

Thanks for pointing that out!

This has been fixed and commited to SVN.

I am including my email address in the main post for bug reporting. I may eventually set up mantis or something.

I’ve been familiarizing myself with the plug-in as I incorporate it into a project.  Would it be possible/beneficial to pass an array of role_ids to user_has_role() and group_has_role() instead of just a single role_id?  I’m guessing many times in a project, access would be given based on a handful of roles.  (Of course we could just use OR statements.)  I’m also guessing a hierarchy or ranking of roles is often used for ACLs.  There also might be other class methods where passing an array to it might be beneficial.  Just a couple of thoughts.

I’ve been familiarizing myself with the plug-in as I incorporate it into a project.  Would it be possible/beneficial to pass an array of role_ids to user_has_role() and group_has_role() instead of just a single role_id?  I’m guessing many times in a project, access would be given based on a handful of roles.  (Of course we could just use OR statements.)  I’m also guessing a hierarchy or ranking of roles is often used for ACLs.  There also might be other class methods where passing an array to it might be beneficial.  Just a couple of thoughts.

That sounds like a great idea, however.

The thinking was database optimization. I could implement this, but I would not recommend it unless using it on an ACL user/group/role objects: i.e.:

$user = $acl->get_user('10',TRUE);
$user->has_role('3');

The reason is: when you return a user object one of the options is to auto hydrate (or not). The default [when returning ACL users, groups, and roles] is NOT to hydrate.

When you auto hydrate, the ACL user/group/role objects pre-polulate [load] all the relating info into variables. This way, multiple tests are only comparing variables rather than making repetitive database calls.

Ideally, when a user is logged in, you would instantly create a ACL user object that represents that user.

In the case of the ACL class, you would not (even from a logical programmatic standpoint) have auto hydration going on in the parent ACL object level. So bottom line is: passing arrays for checking can be implemented at both the core ACL level AND ACL user/group/role levels - but only advisable to use this feature at the user/group/role levels. This way, auto hydration makes it easy and much more practical from a performance standpoint.

I will work on integrating this into the classes sometime this next couple weeks unless someone wants to pitch in 😉

Aha, thanks.  That makes sense.  Have you been successful at storing the user object as a session object?  I haven’t tried yet.  There seems to be quite the shake-up regarding session objects here.
http://ellislab.com/forums/viewthread/95690/

Thanks for your plugin. I has been tried and it’s look good.
But it have small bug. When you try :

$this->acl->add_role_to_user(2, 1);

it generate error. In acl.php line 654:

$this->db->insert($this->db_table['user_roles'],$data);

it should be:

$this->db->insert($this->_table['user_roles'],$data);

Is this plug-in still being developed/supported?  I find it interesting and would like to work at converting it to CI 2.x and PHP 5.3.x.