melbourne chapter

Access control lists are a way of adding more flexibility to your authentication (or access control as it should be referred to). It allows you to create roles/groups and restricts access to particular resources or functions. Its implementation means that your ACL’s can be managed seperately to your Source Code (in your database), and therefore caneasily create and grant with new roles to resources etc without having to add new lines of checks to your web application

Although the traditional if/switch checks work when you are working with polarised groups (normal user vs administrator) it quickly becomes too difficult to maintain when you introduce a third group, such as “public” or “developer”.The best way to comprehend Access Control Lists is in 2D tables, having each column the resource that they wish to access, and each row as the particular role. For each cell in this table you can configure whether to allow or deny a role the ability to access a resource.

In your application your checks can now be more centralised to a leaner concise check: acl_check($resource, $group);

Depending on your implementation of your webdesign this can then be placed on every page, or as more practical and better design: through a gateway or preprocess function (in MVC Struts design we would see these checks generically placed in our RequestProcessor processPreprocess()).

By moving to this design we can get rid of dozens of lines of checks and simply check access to a particular resource by calling acl_check(). You Access to particular resources is now centralised to your access control lists and can be managed externally, granting access for a new system “role” without visiting any of your source code again.