Zum Inhalt springen
XOOPS 2.7 Docs

ADR-006 - Modul-Permission-System

ADR-006: Modul-Permission-System

Abschnitt betitelt „ADR-006: Modul-Permission-System“

Präzises, hierarchisches Permission-System für XOOPS Module mit granularer Zugriffskontrolle.

Status

Abschnitt betitelt „Status“

Akzeptiert - Implementiert in XOOPS 2.5.x und erweitert in XOOPS 4.0

Context

Abschnitt betitelt „Context“

Problem-Aussage

Abschnitt betitelt „Problem-Aussage“

XOOPS Module benötigen flexible Permission-Kontrolle, die folgende Anforderungen ermöglicht:

  1. Modul-level Permissions - Kann Benutzer dieses Modul zugreifen?
  2. Object-level Permissions - Kann Benutzer auf dieses spezifische Element zugreifen?
  3. Action-level Permissions - Kann Benutzer diese Aktion durchführen?
  4. Custom Permissions - Können Module ihre eigenen Permissions definieren?

Aktueller Zustand

Abschnitt betitelt „Aktueller Zustand“

XOOPS 2.5 verwendet das XoopsGroupPermission-System:

<?php
$perm_handler = xoops_getHandler('groupperm');
$isAllowed = $perm_handler->checkRight(
    'modulename',
    'action',
    $itemId,
    $groupId
);

Challenges

Abschnitt betitelt „Challenges“
  1. Komplexe Abfragen - Permission-Checks erfordern Datenbank-Joins
  2. Limitierte Hierarchie - Schwer, Permission-Gruppen zu erstellen
  3. Schlechtes Caching - Kein eingebautes Permission-Caching
  4. Modul-Variationen - Jedes Modul implementiert unterschiedlich
  5. Leistung - Mehrfache DB-Abfragen für Permission-Checks

Decision

Abschnitt betitelt „Decision“

Implementieren Sie hierarchisches Permission-System

Abschnitt betitelt „Implementieren Sie hierarchisches Permission-System“

Erstellen Sie ein standardisiertes, gecachtes Permission-System mit Unterstützung für:

  1. Hierarchische Permissions - Vererbung von übergeordneten Gruppen
  2. Rollenbasierter Zugriff - Permissions auf Rollen abbilden (Admin, Moderator, User, Guest)
  3. Object Permissions - Präzise Kontrolle pro Element
  4. Caching - Cache Permissions zur Abfrage-Reduzierung
  5. Custom Permissions - Module definieren ihre eigenen
  6. Audit Trail - Log Permission-Änderungen

Permission-Hierarchie

Abschnitt betitelt „Permission-Hierarchie“
User
  └── Group 1 (Admin)
      └── Permission: admin_module
      └── Permission: edit_all_items
      └── Permission: delete_all_items
  └── Group 2 (Moderator)
      └── Permission: moderate_comments
      └── Permission: edit_own_items
  └── Group 3 (User)
      └── Permission: view_published_items
      └── Permission: edit_own_items
  └── Group 4 (Guest)
      └── Permission: view_published_items

Architektur

Abschnitt betitelt „Architektur“
graph TB
    subgraph "Permission System"
        A["Permission Registry<br/>(Define permissions)"]
        B["Permission Checker<br/>(Check access)"]
        C["Permission Cache<br/>(Improve performance)"]
        D["Permission Audit Log<br/>(Track changes)"]
    end


    subgraph "Data Layer"
        E["Group Permissions Table"]
        F["User Groups Table"]
        G["Permission Definitions"]
    end


    A --> E
    B --> E
    B --> C
    C --> E
    D --> E
    F --> B

Kern-Komponenten

Abschnitt betitelt „Kern-Komponenten“

1. Permission-Definition

Abschnitt betitelt „1. Permission-Definition“
<?php
// Module defines its permissions in xoops_version.php


$modversion['permissions'] = [
    [
        'name' => 'module_view',
        'description' => 'Can view module',
        'level' => 'module',
    ],
    [
        'name' => 'item_view',
        'description' => 'Can view items',
        'level' => 'item',
    ],
    [
        'name' => 'item_create',
        'description' => 'Can create items',
        'level' => 'item',
    ],
    [
        'name' => 'item_edit',
        'description' => 'Can edit items',
        'level' => 'item',
    ],
    [
        'name' => 'item_delete',
        'description' => 'Can delete items',
        'level' => 'item',
    ],
    [
        'name' => 'admin_manage',
        'description' => 'Can manage module',
        'level' => 'admin',
    ],
];


// Default permissions by group
$modversion['group_permissions'] = [
    // Admin group gets all permissions
    '1' => [
        'module_view' => 1,
        'item_view' => 1,
        'item_create' => 1,
        'item_edit' => 1,
        'item_delete' => 1,
        'admin_manage' => 1,
    ],
    // User group
    '3' => [
        'module_view' => 1,
        'item_view' => 1,
        'item_create' => 1,
        'item_edit' => 0,
        'item_delete' => 0,
        'admin_manage' => 0,
    ],
    // Guest group
    '4' => [
        'module_view' => 1,
        'item_view' => 1,
        'item_create' => 0,
        'item_edit' => 0,
        'item_delete' => 0,
        'admin_manage' => 0,
    ],
];

2. Permission-Checker

Abschnitt betitelt „2. Permission-Checker“
<?php
declare(strict_types=1);


namespace XoopsCore\Permission;


class PermissionChecker
{
    private PermissionCache $cache;
    private PermissionRepository $repository;


    public function hasPermission(
        User $user,
        string $permissionName,
        ?int $itemId = null
    ): bool {
        // Check cache first
        $cacheKey = "perm_{$user->getId()}_{$permissionName}_{$itemId}";
        if ($this->cache->has($cacheKey)) {
            return $this->cache->get($cacheKey);
        }


        $hasPermission = false;


        // Check all user groups
        foreach ($user->getGroups() as $group) {
            if ($this->checkGroupPermission($group, $permissionName, $itemId)) {
                $hasPermission = true;
                break;
            }
        }


        // Cache result
        $this->cache->set($cacheKey, $hasPermission, 3600);


        // Log high-level access checks
        if ($hasPermission && $this->shouldAuditLog($permissionName)) {
            $this->auditLog('PERMISSION_CHECKED', [
                'user_id' => $user->getId(),
                'permission' => $permissionName,
                'item_id' => $itemId,
                'result' => 'ALLOWED',
            ]);
        }


        return $hasPermission;
    }


    private function checkGroupPermission(
        Group $group,
        string $permissionName,
        ?int $itemId = null
    ): bool {
        $sql = 'SELECT COUNT(*) FROM ' . $this->table . '
                WHERE groupid = ?
                AND permission = ?
                AND itemid = ?
                AND granted = 1';


        $stmt = $this->db->prepare($sql);
        $stmt->execute([$group->getId(), $permissionName, $itemId ?? 0]);


        return $stmt->fetchColumn() > 0;
    }
}

3. Permission-Level

Abschnitt betitelt „3. Permission-Level“
<?php
// Different permission levels with different scopes


class PermissionLevel
{
    // Module-level: Affects entire module
    public const LEVEL_MODULE = 'module';


    // Admin-level: Admin panel access
    public const LEVEL_ADMIN = 'admin';


    // Item-level: Specific objects/items
    public const LEVEL_ITEM = 'item';


    // Field-level: Specific object fields
    public const LEVEL_FIELD = 'field';


    // Action-level: Specific actions/operations
    public const LEVEL_ACTION = 'action';
}

4. Object-Level Permissions

Abschnitt betitelt „4. Object-Level Permissions“
<?php
// Fine-grained control for specific items


class Item extends XoopsObject
{
    /**
     * Check if user can view this item
     */
    public function canView(User $user): bool
    {
        // Public items anyone can view
        if ($this->getVar('status') === 'published') {
            return true;
        }


        // Owner can always view their items
        if ($this->getVar('user_id') === $user->getId()) {
            return true;
        }


        // Check group permissions
        $permChecker = xoops_getActiveModule()->getPermissionChecker();
        return $permChecker->hasPermission(
            $user,
            'item_view',
            $this->getVar('id')
        );
    }


    public function canEdit(User $user): bool
    {
        // Owner can edit their items
        if ($this->getVar('user_id') === $user->getId()) {
            return $permChecker->hasPermission($user, 'item_edit', $this->getVar('id'));
        }


        // Check if user can edit all items
        return $permChecker->hasPermission($user, 'item_edit_all', $this->getVar('id'));
    }


    public function canDelete(User $user): bool
    {
        return $permChecker->hasPermission($user, 'item_delete', $this->getVar('id'));
    }
}

5. Verwendung in Controllern

Abschnitt betitelt „5. Verwendung in Controllern“
<?php
// Example: Article controller


class ArticleController
{
    private PermissionChecker $permChecker;


    public function view(int $id, User $user): Response
    {
        $article = $this->repository->find($id);


        // Check permission
        if (!$article->canView($user)) {
            throw new AccessDeniedException('Cannot view this article');
        }


        return new HtmlResponse($this->renderArticle($article));
    }


    public function edit(int $id, User $user): Response
    {
        $article = $this->repository->find($id);


        // Check permission
        if (!$article->canEdit($user)) {
            throw new AccessDeniedException('Cannot edit this article');
        }


        // Handle form submission
        if ($this->request->isMethod('POST')) {
            $article->setVar('title', $this->request->getPost('title'));
            $article->setVar('content', $this->request->getPost('content'));
            $this->repository->insert($article);


            $this->auditLog('ARTICLE_EDITED', ['id' => $id, 'user_id' => $user->getId()]);


            // Invalidate permission cache
            $this->permChecker->clearCache($user->getId());


            return new RedirectResponse('/article/' . $id);
        }


        return new HtmlResponse($this->renderForm($article));
    }


    public function delete(int $id, User $user): Response
    {
        $article = $this->repository->find($id);


        if (!$article->canDelete($user)) {
            throw new AccessDeniedException('Cannot delete this article');
        }


        $this->repository->delete($article);


        $this->auditLog('ARTICLE_DELETED', ['id' => $id, 'user_id' => $user->getId()]);


        // Invalidate cache
        $this->permChecker->clearCache($user->getId());


        return new JsonResponse(['success' => true]);
    }
}

Consequences

Abschnitt betitelt „Consequences“

Positive Auswirkungen

Abschnitt betitelt „Positive Auswirkungen“
  1. Granulare Kontrolle - Präzise Permission-Verwaltung
  2. Standardisiert - Konsistent zwischen Modulen
  3. Gecacht - Verbesserte Leistung mit Caching
  4. Auditable - Verfolgen wer was geändert hat
  5. Flexibel - Unterstützen Custom Permissions
  6. Skalierbar - Verwalten komplexe Permission-Hierarchien
  7. Testbar - Leicht zu Unit-Testen

Negative Auswirkungen

Abschnitt betitelt „Negative Auswirkungen“
  1. Komplexität - Mehr Code zu verwalten
  2. Datenbank-Overhead - Mehr Tabellen und Joins
  3. Cache-Invalidierung - Müssen Cache bei Änderungen löschen
  4. Lernkurve - Entwickler müssen System verstehen
  5. Leistung - Falls Cache nicht ordnungsgemäß konfiguriert

Risiken und Mitigationen

Abschnitt betitelt „Risiken und Mitigationen“
RiskSeverityMitigation
Overly complex permissionsMediumGood defaults, documentation
Cache stale dataHighTTL, smart invalidation
Performance regressionMediumBenchmark, optimize queries
Permission bypassHighSecurity audit, tests

Permission-Design-Muster

Abschnitt betitelt „Permission-Design-Muster“

Pattern 1: Owner-basierte Permissions

Abschnitt betitelt „Pattern 1: Owner-basierte Permissions“
<?php
// User can edit their own items but not others'


public function canEdit(User $user): bool
{
    // Owner can always edit
    if ($this->isOwner($user)) {
        return true;
    }


    // Check group permissions for editing others' items
    return $this->permChecker->hasPermission($user, 'edit_all_items');
}


private function isOwner(User $user): bool
{
    return $this->getVar('user_id') === $user->getId();
}

Pattern 2: Status-basierte Permissions

Abschnitt betitelt „Pattern 2: Status-basierte Permissions“
<?php
// Different permissions based on status


public function canView(User $user): bool
{
    switch ($this->getVar('status')) {
        case 'published':
            // Anyone with module permission can view
            return $this->permChecker->hasPermission($user, 'item_view');


        case 'draft':
            // Only owner or admin can view
            return $this->isOwner($user) ||
                   $this->permChecker->hasPermission($user, 'admin_manage');


        case 'archived':
            // Only admin can view
            return $this->permChecker->hasPermission($user, 'admin_manage');


        default:
            return false;
    }
}

Pattern 3: Rollenbasierte Permissions

Abschnitt betitelt „Pattern 3: Rollenbasierte Permissions“
<?php
// Check against specific roles


public function hasAdminRole(User $user): bool
{
    return $user->getGroups()->contains('admin_group');
}


public function hasModeratorRole(User $user): bool
{
    return $user->getGroups()->contains('moderator_group') ||
           $this->hasAdminRole($user);
}


public function canModerate(User $user): bool
{
    return $this->hasModeratorRole($user);
}
Abschnitt betitelt „Related Decisions“
  • ADR-001: Modular Architecture - Modules define permissions
  • ADR-004: Security System - Foundation for security
  • ADR-005: Middleware - Can enforce permissions

References

Abschnitt betitelt „References“

Permission Models

Abschnitt betitelt „Permission Models“

Implementation

Abschnitt betitelt „Implementation“

Implementation Checklist

Abschnitt betitelt „Implementation Checklist“
  • Define standard permission levels
  • Create PermissionChecker class
  • Implement caching strategy
  • Add audit logging
  • Create helper functions
  • Write comprehensive tests
  • Document for developers
  • Update all modules
  • Performance optimization
  • Security review

Versions-Geschichte

Abschnitt betitelt „Versions-Geschichte“
VersionDateChanges
1.0.02024-01-28Initial document

#xoops #adr #permissions #authorization #rbac #security