The ACL plugin

The missing ACL plugin that should have come with CI!

The CodeIgniter Acl class implements a robust database-driven access control mechanism that includes users, groups, and roles.

A user can belong to many groups. Any number of roles can be assigned to entire groups, or individual users. The class includes simple but effective password validating/updating and convenient description fields for users, roles, and groups.

Other features include:
-> Simple user password auth (plaintext or md5 [default] - configurable)
-> Strict decoupling of database-specific logic, makes exclusive use of the CI database class
-> Methods to check for user role assignments (direct or inherited via group)
-> Optimized database structure - should easily handle thousands of users/roles/groups
-> Written to follow strict CI coding guidelines (docblocks, indentation, naming, etc)
-> Free as in Beer (GPL v2)

Installation is simple. Download the zip archive attached to this thread. You will copy all the .php files to your application/models directory. Next, import a database schema. The CI Acl class has been tested with MySQL, PostgreSQL, and SQLite. In the acl_scripts folder are .sql files to create the needed tables for each database type (depending on which one you use).

You may also grab the latest from SVN via:
http://svn.supergluetech.com/repositories/codeigniter/acl

Once all this is completed, you load it as with any typical CI model:

Please refer to the manual.htm file for usage.

Please report any bugs to me via: dean [at] supergluetech.com

Attention

Who’s using the ACL plugin? If you are using the plugin, I would love to hear from you as well as any suggestions and/or improvements that you would like to see.

Also, if anyone is interested in pitching in (especially with documentation), gimme a shout. I would really like to get things polished up.

Wow!
Seems like great work!
I’ll check it out and come back with some feedback!

**UPDATE** 12/28/2009 10:18 PM:

I am putting an initial reference guide together (with full index of all functions, and detailed examples) in the form of plain HTML. Expect something in a couple days

- Dean

*bookmrked* I’d been considering making something like this, looking forward to the possibility that it’s one more thing I won’t have to do to have an auth system that works for me

Hi Dean,

great work - i like the ‘plugin’-character of this piece of software

I will try to plug it in my app (authentication-library allready built in) and report here what i found.

Maby you can provide the docs in the meantime?!

Regards

Happy new years to start with…

Lots has happened since the last post.

First, I have beaten the lazy outta myself and got a subversion project set up for this.

Read only public access is available at http://svn.supergluetech.com/repositories/codeigniter/acl

Included on the server is a [incomplete] reference manual.htm file that documents EVERY function.

Also in the svn trunk are a handfull of bugfixes - anyone who has downloaded the acl class are advised to grab the latest versions.

I will keep everyone posted!

One last note.. I have a good handfull of changes that will be committed by noon today (1/5/10) - Please excuse any broken scripts in the meanwhile.

Among the changes are:

-> Ability to auto-hydrate instantiated group/user/role objects
-> Bugfixes to main class
-> Little more documentation
-> Small cleanup

Looks promising over my acl library. I’ll try this

Dean,
Great looking ACL plug-in.  Thanks for sharing.  I was in the process of writing some of this for a current project, but I came across this and figured it would fill the 90% that most people would need for ACL in a project.  It looks nice and clean.

Anyhow, I’ve come across a bug. The acl model has a bug in lines 812 and 954.

This:

Should be:

Let us know if there’s a better way to contact you with bugs.

Thanks,
Brian

Thanks for pointing that out!

This has been fixed and commited to SVN.

I am including my email address in the main post for bug reporting. I may eventually set up mantis or something.

I’ve been familiarizing myself with the plug-in as I incorporate it into a project.  Would it be possible/beneficial to pass an array of role_ids to user_has_role() and group_has_role() instead of just a single role_id?  I’m guessing many times in a project, access would be given based on a handful of roles.  (Of course we could just use OR statements.)  I’m also guessing a hierarchy or ranking of roles is often used for ACLs.  There also might be other class methods where passing an array to it might be beneficial.  Just a couple of thoughts.

bkirkman - 27 February 2010 01:41 AM

I’ve been familiarizing myself with the plug-in as I incorporate it into a project.  Would it be possible/beneficial to pass an array of role_ids to user_has_role() and group_has_role() instead of just a single role_id?  I’m guessing many times in a project, access would be given based on a handful of roles.  (Of course we could just use OR statements.)  I’m also guessing a hierarchy or ranking of roles is often used for ACLs.  There also might be other class methods where passing an array to it might be beneficial.  Just a couple of thoughts.

That sounds like a great idea, however.

The thinking was database optimization. I could implement this, but I would not recommend it unless using it on an ACL user/group/role objects: i.e.:

The reason is: when you return a user object one of the options is to auto hydrate (or not). The default [when returning ACL users, groups, and roles] is NOT to hydrate.

When you auto hydrate, the ACL user/group/role objects pre-polulate [load] all the relating info into variables. This way, multiple tests are only comparing variables rather than making repetitive database calls.

Ideally, when a user is logged in, you would instantly create a ACL user object that represents that user.

In the case of the ACL class, you would not (even from a logical programmatic standpoint) have auto hydration going on in the parent ACL object level. So bottom line is: passing arrays for checking can be implemented at both the core ACL level AND ACL user/group/role levels - but only advisable to use this feature at the user/group/role levels. This way, auto hydration makes it easy and much more practical from a performance standpoint.

I will work on integrating this into the classes sometime this next couple weeks unless someone wants to pitch in

Aha, thanks.  That makes sense.  Have you been successful at storing the user object as a session object?  I haven’t tried yet.  There seems to be quite the shake-up regarding session objects here.
http://ellislab.com/forums/viewthread/95690/

Thanks for your plugin. I has been tried and it’s look good.
But it have small bug. When you try :

it generate error. In acl.php line 654:

it should be:

Is this plug-in still being developed/supported?  I find it interesting and would like to work at converting it to CI 2.x and PHP 5.3.x.

Anybody???