Home/ Questions/Q 4085702
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T18:37:02+00:00

I’m working on a sort of MVC framework, and I’m implementing a simple ACL

  • 0

I’m working on a sort of MVC framework, and I’m implementing a simple ACL permissions check system.

I’m wondering if anyone can shed some light on, or direct me towards some good examples of this sort of implementation (or criticize to the point of warranting scrapping it, whichever is necessary)

Since I’m building the framework with REST API in mind, I’ve created two base controllers, WebController and ApiController.

Requests made to /index.php route to WebController_* and requests made to /api/index.php route to ApiController_*

An extended WebController is responsible for building output from a template with data returned from the consolidated calls to the necessary ApiControllers.

An extended ApiController is responsible for querying the Model for data. If a call is made directly to /api/index.php it returns JSON.

But I digress; In order to facilitate ACL, I figured implementing it at the ApiController layer made sense, and if there is a denial it is returned in JSON or back up to a WebController and handled accordingly, depending on the request type.

I’m thinking to simplify things, I could make use of __call() and private methods. __call() would verify the existence of the requested method, and prior to calling it, check the user permissions on the method it against the ACL.

class ApiController{

    public function __call($method, $arguments){
        if(method_exists($this, $method)){
            //haven't written ACL classes yet, but something like this
            if(ACL::check(...)){ 
                return call_user_func_array(array($this, $method), $arguments);
            }else{
                return false;
            }
        }else{
            //throw catchable exception or something
        }
    }

}

Good idea? Bad idea? Thoughts? Maybe I’m in over my head here, I’m still learning and this is more for education than profit, however finishing something that has future use would be nice.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’ve decided to go with an approach similar to my initially proposed method, creating a Gateway object to act as a proxy to the Model. Essentially the Gateway object holds a reference to the Acl, Request, and Model objects, and performs checks against the Acl object before forwarding any method calls to the Model. Simplified for brevity:

    public function __call($method, $arguments){
    // check request data against acl
    if($this->_acl->check($this->_request, $method, $arguments)){
        // on success, send request in and forward method to model
        $this->_model->setRequest($this->_request);
        return call_user_func_array(array($this->_model, $method), $arguments);
    }
    // acl check failed, no access
    return false;
}

    Are there any issues that can be seen with this approach? So far as I can tell, this should serve the purpose quite effectively, as I can sub in different Acl and Model objects based on the needs of the Controller (Though likely there will only be the need for a single Acl)

    Furthermore, my routing of API calls becomes simplified, as using a REST/RPC hybrid architecture, API calls can be passed to the Gateway without much need for modification.

    • 0