Role based access control - correct MVC pattern
I started using the MVC pattern a half year ago, and I still have some misunderstandings.
Now I want to implement a role based access control in my application. However, my question is not about RBAC, it is about MVC.
My implementation of RBAC is this: user->role->permission so every user (ex. userA) can have many roles (ex. reader, editor, admin), and every role can have many permissions (read, update, delete, etc.).
MySQL tables
- users (list of users)
- roles (list of roles)
- permissions (list of permission)
- roles_permissions (list of roles->permissions connections. ex. editor->update)
- users_roles (list of users->roles connections. ex. userA->editor)
Now my question is How should I implement this in MVC? Have a separate model for: users, roles, permissions, roles_permissions, users_roles, than have an authManager class that creates users, roles, permission, roles_permissions, and user_roles? Is this way correct? Is there a better, maybe more elegant way?
Answer
Basically I'd stick with one of many already existing Kohana ACL libraries instead of writing your own (or at least try them to see if they fit to your needs).
You may want to check this thread (Wouter A1, A2 and ACL modules) - http://forum.kohanaframework.org/discussion/1988/releases-a1-authentication-acl-acl-for-kohana-a2-object-level-authorization/p1
It's being constantly updated and maintained and it's available for 3.2 version as well.
If you feel Wouter modules are complicated, you can also check Vendo ACL module which is very simple and removes a lot of complications - https://github.com/vendo/acl
Examples how to use it - http://forum.kohanaframework.org/discussion/9517/getting-started-with-vendo-acl/p1