Just Uber

Hi all,
I have been working on a Symfony (ver1 of the MVC) based application. It needs really tight security that is really granular. So I did what most people do and installed the cool sfGuardPlugin.

It works a treat.

But.. I started to look at how I secure individual buttons, or sections of code etc.
The best way would be to create a load of credentials, e.g view_token, add_token, edit_token, view_token_history, etc etc which can then be grouped together to allow access via groups or individual assignement.

Then I started thinking about the use of hardcoded text within the code, such as the following example and ‘viewtoken’.

$sf_user->hasCredential('view_token');

I don’t like hardcoding anything if I can help it, so installed the sfSettingsPlugin, added the line of code:

include_once (sfConfigCache::getInstance()->checkConfig('config/db_settings.yml'));

to my controllers (it doesn’t mention that anywhere on the plugin site or within the code!), did a quick symfony propel-build-all-load & symfony cc and added a few settings.

The settings are available in your app as a normal CONSTANT, I created view_token with the value of viewtoken, so I could access it within the application as the constant VIEW_TOKEN.

You may wonder why I didn’t just hardcode the values? I am not sure at the moment, its a lot of hassle so far, but at least it will be highly configurable

Any ways, we have installed the sfSettings plugin, I have the very good wordpress style menus plugin called sfCssTabsPlugin already installed and working well. Finding this great add on that allowed the sfcsstabs to recognise security credentials that are based in any modules /config/security.yml, I thought great!

But I hit a snag, once installed and working it only recognised the first credential of that user.
If you have a lot of credentials, and I do, then it fails

I found a work around though:
In \plugins\sfGuardPlugin\lib\user\sfGuardSecurityUser.class.php
I replaced:


return $this->hasCredential($credentials);


with:


$permissions=$this->getAllPermissionNames();
if(in_array($credentials, $permissions)) {
return true;
}else{
return false;
}


This gets all the permissions, those set within a group and those assigned to an individual user.
I am not sure if this is best way to do it, I am sure writing another method within the model would probably be a better bet, but I am soooOO lazy. If I do (or you?) then I will post it on here.

The above code allowed me to get all the credentials and display individual elements of the menu according to the security credentials of the user.

thanks

Adam

Hi all,
I am working on a web based application for my work place. I am building it in a php using the MVC framework Symfony.

Symfony has learning curve, especially if you are new to the MVC setup. This post is not about MVC but about a small problem I had trying to installing a plugin.

Symfony allows you to install plugins to the framework that provide a specific purpose, the one I was trying to install was called AdminQuickCreatePlugin. If you can imagine you have a form that is all about a ‘person’, and on this form you a list of “organisations” that this person may work for, but as you start to fill the form in you realise the organisation the person works for is not in the list. So you would have to go back, create the organisation, then come back to the form and fill all the details back in for the person (you have had to update the select list to show the new organisation).
This plugin creates a small button that will open the form for an organisation, but the magic is that it will save the current forms session info and once the organisation has been created it will reopen the person form but fill in all the details you had entered but also add the new organisation.
This makes web apps a little easier to use.

Any way – the problem was all around the way symfony installs plugins, using PEAR. It refused to install normally due to a md5sum error.
To rectify the problem I had to enter the .tgz, edit the package.xml. I did use a md5sum.exe app to recreate the md5sum, but all the md5s looked ok?!
So finding the ‘<file’ I deleted the md5sum=’7630f0d1fbc…….’ part.
I then recreated the .tar.gz and used ’symfony install-plugin /plugin.tar.gz’

Hey presto.. install without a problem now.
Hopefully this may help anyone who has a similar problem.
Just a word of warning though, the md5sum is used to make sure the file hasn’t been compromised, so always do a virus check.

ta

adam