Generic way to restrict a user's actions on a web application (PHP)

Question

I've been tasked to work out a model which will introduce restrictions or levels in an existing webapplication. The application is not consequently build to easily implement this feature. Serverside is PHP, clientside is jQuery.

These restrictions are associated with plans or subscriptions a user has bought.

I've come up with a model where:

Functions are mapped with actions.
An Action is a meaningful definition of an act a user can do on the application.
A plan is a list of actions with a meaningful restrictive value.

A real world example

requestIntroduction() is mapped with 'requesting' <-> 'introduction'
The action is a 'request' of an 'introduction'
Current plan allows user to request 5 introductions
Do the check

I'm looking for a generic way to control restrictions as much as possible in one place in the code because:

Plans will be added, removed and adjusted frequently
Restrictions will be added, removed and adjusted frequently (to a plan)
Adjusting restrictions and plans will be a feature in an admin console in the future.

My question is : Is there a better way to achieve the same generic approach to handle restrictions and to minimize coding future changes to plans and/or restrictions ?

you can identify each action with an id/codename and have a table somewhere defining wich actions each user group/user has — Enoque Duarte, Oct 11 '13 at 09:39

score 0 · Answer 1 · answered Oct 11 '13 at 11:08

Imagine you define your Actions methods like "emptyBinAction", "gothereAction" on a controller (admiting you are using MVC or similar design pattern)

you can easly check the permission based on method names:

example:

protected function emptyBinAction($params) {
    $this->checkAccess();

    ...
}

for example, you can use checkAccess() to check login + if user has permission to this action:

protected function checkAccess() {  
     // Check login 
     if ($this->myModel->checkLogin()) {
         // Query DB for permission (pass user id and func name)
         if (!$this->myModel->checkPerm($usrId,$this->getCallerName()) ) {
             return false;
         }
     }
 ...
}

example method to return caller name (in this case will return "emptyBinAction"):

public function getCallerName() {
    $e = new Exception();
    $trace = $e->getTrace();
    return $trace[2]['function'];
}

in terms of the checkPerm() query and db structure you can do as you wish, either attribute permisions to user groups, or to each user, or both.

Your proposal is exactly what I had in mind, except of using a function like you define with getCallerName(), I was thinking of the PHP magic constant [__ FUNCTION __](http://php.net/manual/en/language.constants.predefined.php). Would this be advisable ? — Gnagy, Oct 11 '13 at 11:12
as i see in php manual, __FUNCTION__ value is lower cased, so its up to you, i see there too __METHOD__ wich is case sensitive, but never tested it, might work :http://php.net/manual/en/language.constants.predefined.php — Enoque Duarte, Oct 11 '13 at 11:45
According to the docs, the constant returns lower cased string in PHP 4 but case-sensitive in PHP 5 and above. Tested it and works as described. The platform uses PHP 5.3 so I think it's safe to use the constant. — Gnagy, Oct 11 '13 at 11:57

Generic way to restrict a user's actions on a web application (PHP)

1 Answers1