ADR-006 - Sistem Kebenaran Modul

ADR-006: Sistem Kebenaran Modul> Sistem kebenaran hierarki berbutir halus untuk modul XOOPS yang membolehkan kawalan akses berbutir.---

StatusDiterima - Dilaksanakan dalam XOOPS 2.5.x dan dilanjutkan dalam XOOPS 4.0---

Konteks### Pernyataan MasalahModul XOOPS memerlukan kawalan kebenaran fleksibel yang membolehkan:1. Kebenaran peringkat modul - Bolehkah pengguna mengakses modul ini?

2. Keizinan peringkat objek - Bolehkah pengguna mengakses item khusus ini?
3. Kebenaran peringkat tindakan - Bolehkah pengguna melakukan tindakan ini?
4. Keizinan tersuai - Bolehkah modul menentukan kebenaran mereka sendiri?### Keadaan SemasaXOOPS 2.5 menggunakan sistem XoopsGroupPermission:

php
<?php
$perm_handler = xoops_getHandler('groupperm');
$isAllowed = $perm_handler->checkRight(
    'modulename',
    'action',
    $itemId,
    $groupId
);

Cabaran1. Pertanyaan Kompleks - Semakan kebenaran memerlukan gabungan pangkalan data

2. Hierarki Terhad - Sukar untuk membuat kumpulan kebenaran
3. Caching Lemah - Tiada caching kebenaran terbina dalam
4. Variasi Modul - Setiap modul melaksanakan secara berbeza
5. Prestasi - Berbilang pertanyaan DB untuk semakan kebenaran---

Keputusan### Laksanakan Sistem Kebenaran HierarkiCipta sistem kebenaran yang diseragamkan dan dicache yang menyokong:1. Kebenaran Hierarki - Warisan daripada kumpulan induk

2. Akses Berasaskan Peranan - Kebenaran peta kepada peranan (pentadbir, penyederhana, pengguna, tetamu)
3. Kebenaran Objek - Kawalan berbutir halus setiap item
4. Caching - Kebenaran cache untuk mengurangkan pertanyaan
5. Kebenaran Tersuai - Modul menentukan sendiri
6. Jejak Audit - Perubahan kebenaran log### Hierarki Kebenaran

User
  └── Group 1 (Admin)
      └── Permission: admin_module
      └── Permission: edit_all_items
      └── Permission: delete_all_items
  └── Group 2 (Moderator)
      └── Permission: moderate_comments
      └── Permission: edit_own_items
  └── Group 3 (User)
      └── Permission: view_published_items
      └── Permission: edit_own_items
  └── Group 4 (Guest)
      └── Permission: view_published_items

Seni bina

mermaid
graph TB
    subgraph "Permission System"
        A["Permission Registry<br/>(Define permissions)"]
        B["Permission Checker<br/>(Check access)"]
        C["Permission Cache<br/>(Improve performance)"]
        D["Permission Audit Log<br/>(Track changes)"]
    end

    subgraph "Data Layer"
        E["Group Permissions Table"]
        F["User Groups Table"]
        G["Permission Definitions"]
    end

    A --> E
    B --> E
    B --> C
    C --> E
    D --> E
    F --> B

---

Komponen Teras### 1. Definisi Kebenaran

php
<?php
// Module defines its permissions in xoops_version.php

$modversion['permissions'] = [
    [
        'name' => 'module_view',
        'description' => 'Can view module',
        'level' => 'module',
    ],
    [
        'name' => 'item_view',
        'description' => 'Can view items',
        'level' => 'item',
    ],
    [
        'name' => 'item_create',
        'description' => 'Can create items',
        'level' => 'item',
    ],
    [
        'name' => 'item_edit',
        'description' => 'Can edit items',
        'level' => 'item',
    ],
    [
        'name' => 'item_delete',
        'description' => 'Can delete items',
        'level' => 'item',
    ],
    [
        'name' => 'admin_manage',
        'description' => 'Can manage module',
        'level' => 'admin',
    ],
];

// Default permissions by group
$modversion['group_permissions'] = [
    // Admin group gets all permissions
    '1' => [
        'module_view' => 1,
        'item_view' => 1,
        'item_create' => 1,
        'item_edit' => 1,
        'item_delete' => 1,
        'admin_manage' => 1,
    ],
    // User group
    '3' => [
        'module_view' => 1,
        'item_view' => 1,
        'item_create' => 1,
        'item_edit' => 0,
        'item_delete' => 0,
        'admin_manage' => 0,
    ],
    // Guest group
    '4' => [
        'module_view' => 1,
        'item_view' => 1,
        'item_create' => 0,
        'item_edit' => 0,
        'item_delete' => 0,
        'admin_manage' => 0,
    ],
];

2. Pemeriksa Kebenaran

php
<?php
declare(strict_types=1);

namespace XoopsCore\Permission;

class PermissionChecker
{
    private PermissionCache $cache;
    private PermissionRepository $repository;

    public function hasPermission(
        User $user,
        string $permissionName,
        ?int $itemId = null
    ): bool {
        // Check cache first
        $cacheKey = "perm_{$user->getId()}_{$permissionName}_{$itemId}";
        if ($this->cache->has($cacheKey)) {
            return $this->cache->get($cacheKey);
        }

        $hasPermission = false;

        // Check all user groups
        foreach ($user->getGroups() as $group) {
            if ($this->checkGroupPermission($group, $permissionName, $itemId)) {
                $hasPermission = true;
                break;
            }
        }

        // Cache result
        $this->cache->set($cacheKey, $hasPermission, 3600);

        // Log high-level access checks
        if ($hasPermission && $this->shouldAuditLog($permissionName)) {
            $this->auditLog('PERMISSION_CHECKED', [
                'user_id' => $user->getId(),
                'permission' => $permissionName,
                'item_id' => $itemId,
                'result' => 'ALLOWED',
            ]);
        }

        return $hasPermission;
    }

    private function checkGroupPermission(
        Group $group,
        string $permissionName,
        ?int $itemId = null
    ): bool {
        $sql = 'SELECT COUNT(*) FROM ' . $this->table . '
                WHERE groupid = ?
                AND permission = ?
                AND itemid = ?
                AND granted = 1';

        $stmt = $this->db->prepare($sql);
        $stmt->execute([$group->getId(), $permissionName, $itemId ?? 0]);

        return $stmt->fetchColumn() > 0;
    }
}

3. Tahap Kebenaran

php
<?php
// Different permission levels with different scopes

class PermissionLevel
{
    // Module-level: Affects entire module
    public const LEVEL_MODULE = 'module';

    // Admin-level: Admin panel access
    public const LEVEL_ADMIN = 'admin';

    // Item-level: Specific objects/items
    public const LEVEL_ITEM = 'item';

    // Field-level: Specific object fields
    public const LEVEL_FIELD = 'field';

    // Action-level: Specific actions/operations
    public const LEVEL_ACTION = 'action';
}

4. Kebenaran Peringkat Objek

php
<?php
// Fine-grained control for specific items

class Item extends XoopsObject
{
    /**
     * Check if user can view this item
     */
    public function canView(User $user): bool
    {
        // Public items anyone can view
        if ($this->getVar('status') === 'published') {
            return true;
        }

        // Owner can always view their items
        if ($this->getVar('user_id') === $user->getId()) {
            return true;
        }

        // Check group permissions
        $permChecker = xoops_getActiveModule()->getPermissionChecker();
        return $permChecker->hasPermission(
            $user,
            'item_view',
            $this->getVar('id')
        );
    }

    public function canEdit(User $user): bool
    {
        // Owner can edit their items
        if ($this->getVar('user_id') === $user->getId()) {
            return $permChecker->hasPermission($user, 'item_edit', $this->getVar('id'));
        }

        // Check if user can edit all items
        return $permChecker->hasPermission($user, 'item_edit_all', $this->getVar('id'));
    }

    public function canDelete(User $user): bool
    {
        return $permChecker->hasPermission($user, 'item_delete', $this->getVar('id'));
    }
}

5. Penggunaan dalam Pengawal

php
<?php
// Example: Article controller

class ArticleController
{
    private PermissionChecker $permChecker;

    public function view(int $id, User $user): Response
    {
        $article = $this->repository->find($id);

        // Check permission
        if (!$article->canView($user)) {
            throw new AccessDeniedException('Cannot view this article');
        }

        return new HtmlResponse($this->renderArticle($article));
    }

    public function edit(int $id, User $user): Response
    {
        $article = $this->repository->find($id);

        // Check permission
        if (!$article->canEdit($user)) {
            throw new AccessDeniedException('Cannot edit this article');
        }

        // Handle form submission
        if ($this->request->isMethod('POST')) {
            $article->setVar('title', $this->request->getPost('title'));
            $article->setVar('content', $this->request->getPost('content'));
            $this->repository->insert($article);

            $this->auditLog('ARTICLE_EDITED', ['id' => $id, 'user_id' => $user->getId()]);

            // Invalidate permission cache
            $this->permChecker->clearCache($user->getId());

            return new RedirectResponse('/article/' . $id);
        }

        return new HtmlResponse($this->renderForm($article));
    }

    public function delete(int $id, User $user): Response
    {
        $article = $this->repository->find($id);

        if (!$article->canDelete($user)) {
            throw new AccessDeniedException('Cannot delete this article');
        }

        $this->repository->delete($article);

        $this->auditLog('ARTICLE_DELETED', ['id' => $id, 'user_id' => $user->getId()]);

        // Invalidate cache
        $this->permChecker->clearCache($user->getId());

        return new JsonResponse(['success' => true]);
    }
}

---

Akibat### Kesan Positif1. Kawalan Berbutir - Pengurusan kebenaran diperhalusi

2. Standard - Konsisten merentas modul
3. Cache - Peningkatan prestasi dengan caching
4. Boleh Diaudit - Jejaki siapa yang mengubah perkara
5. Fleksibel - Menyokong kebenaran tersuai
6. Skala - Mengendalikan hierarki kebenaran yang kompleks
7. Boleh Diuji - Ujian unit yang mudah### Kesan Negatif1. Kerumitan - Lebih banyak kod untuk diurus
8. Overhed Pangkalan Data - Lebih banyak jadual dan cantuman
9. Cache Invalidation - Mesti mengosongkan cache pada perubahan
10. Keluk Pembelajaran - Pembangun mesti memahami sistem
11. Prestasi - Jika cache tidak dikonfigurasikan dengan betul### Risiko dan Tebatan| Risiko | Keterukan | Mitigasi | |------|----------|-----------| | Keizinan yang terlalu kompleks | Sederhana | lalai yang baik, dokumentasi | | Cache data basi | Tinggi | TTL, pembatalan pintar | | Regresi prestasi | Sederhana | Penanda aras, optimumkan pertanyaan | | Pintasan kebenaran | Tinggi | Audit keselamatan, ujian |---

Corak Reka Bentuk Kebenaran### Corak 1: Kebenaran Berdasarkan Pemilik

php
<?php
// User can edit their own items but not others'

public function canEdit(User $user): bool
{
    // Owner can always edit
    if ($this->isOwner($user)) {
        return true;
    }

    // Check group permissions for editing others' items
    return $this->permChecker->hasPermission($user, 'edit_all_items');
}

private function isOwner(User $user): bool
{
    return $this->getVar('user_id') === $user->getId();
}

Corak 2: Kebenaran Berdasarkan Status

php
<?php
// Different permissions based on status

public function canView(User $user): bool
{
    switch ($this->getVar('status')) {
        case 'published':
            // Anyone with module permission can view
            return $this->permChecker->hasPermission($user, 'item_view');

        case 'draft':
            // Only owner or admin can view
            return $this->isOwner($user) ||
                   $this->permChecker->hasPermission($user, 'admin_manage');

        case 'archived':
            // Only admin can view
            return $this->permChecker->hasPermission($user, 'admin_manage');

        default:
            return false;
    }
}

Corak 3: Kebenaran Berasaskan Peranan

php
<?php
// Check against specific roles

public function hasAdminRole(User $user): bool
{
    return $user->getGroups()->contains('admin_group');
}

public function hasModeratorRole(User $user): bool
{
    return $user->getGroups()->contains('moderator_group') ||
           $this->hasAdminRole($user);
}

public function canModerate(User $user): bool
{
    return $this->hasModeratorRole($user);
}

---

Keputusan Berkaitan- ADR-001: Seni Bina Modular - Modul menentukan kebenaran

• ADR-004: Sistem Keselamatan - Asas untuk keselamatan
• ADR-005: Middleware - Boleh menguatkuasakan kebenaran---

Rujukan### Model Kebenaran- RBAC (Kawalan Akses Berasaskan Peranan)

• ABAC (Kawalan Akses Berasaskan Atribut)
• ACL (Senarai Kawalan Akses)### Pelaksanaan- Symfony Security
• Keizinan Laravel---

Senarai Semak Perlaksanaan- [ ] Tentukan tahap kebenaran standard

• Cipta kelas PermissionChecker
• Laksanakan strategi caching
• Tambah pengelogan audit
• Cipta fungsi pembantu
• Tulis ujian komprehensif
• Dokumen untuk pembangun
• Kemas kini semua modul
• Pengoptimuman prestasi
• Semakan keselamatan---

Sejarah Versi| Versi | Tarikh | Perubahan |

|---------|------|---------| | 1.0.0 | 28-01-2024 | Dokumen awal |---

#XOOPS #adr #permissions #authorization #rbac #security