The EuroCMS Accounts Module
| Author | Revision |
|---|---|
| Imri Paloja | draft |
The Accounts module manages all the accounts of an ECMS installation. EuroCMS applies the following control lists: RBAC, LBAC.
Domain-Role-Based Access Control List. DRBAC. Dr. Bac if you want to be cute about it.
-
Users
-
Groups
-
API Users
-
Roles
-
Permissions
Chain of Commands
A user in a lower chain of command cannot view and or delete anything of a user that is higher in the Chain Of Command.
No matter if the users has the, for example users_history permission, they cannot view the history of a user higher in command.
ACL FLOW
This is the step by step ACL FLOW:
- Login
Credentials check
- Roles
Getting the list of components the users has rights too.
This will be displayed in the admin navigation menu.
- Permissions
When clicked on, for example, the link for the Users module, we will check for the specific permissions this logged in users has: (users_add,users_delete).
Users
The EuroCMS users.
There can only be one Owner user. This user is the owner of the entire EuroCMS installation. The admins are the next in command in terms of power. Although they can be admin of a website and or websites, they don't have these power by default. The owner users has no restrictions. It's advised, even if you have only one domain, to create an admin account with all needed permissions to work, and never use the Owner user.
| user_id | group_id | domain_id | dname | fname | lname | uname | pword | profile_pic | role | reg_date | act_date | auth_methods | timezone | coc | status | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | 1 | 1 | jdoe | John | doe | john | {hash} | john@doe.nl | {URL} | Owner | {epoch_date} | {epoch_date} | creds | Europe/Amsterdam | 1 | active |
| 2 | 1 | 1,2 | jane | Jane | doe | Jane | {hash} | jane@doe.nl | file_id:6 | admin | {epoch_date} | {epoch_date} | creds,email,telegram | Mars/Marineris | 2 | inactive |
| 3 | 1 | 1 | jack | Jack | doe | Jack | {hash} | jack@doe.nl | EdiThors | {epoch_date} | {epoch_date} | telegram | Mars/Anseris | 3 | banned | |
| 4 | 1 | 2 | John | doe | john | {hash} | john@doe.nl | admin | {epoch_date} | {epoch_date} | Europe/Amsterdam | 2 | active | |||
| 5 | 1 | 2 | Jane | doe | Jane | {hash} | jane@doe.nl | EdiThors | {epoch_date} | {epoch_date} | creds | Europe/Amsterdam | 3 | active | ||
| 6 | 1 | 2 | Jagues | doe | Jagues | {hash} | jag@doe.nl | contributor | {epoch_date} | {epoch_date} | creds | Europe/Amsterdam | 4 | active | ||
| 7 | 1 | 2 | ECLI | e | cli | ecli | {hash} | ecli@ecms.nl | ecli | {epoch_date} | {epoch_date} | creds | Europe/Amsterdam | 4 | active |
Handle the IP blocking via the content module? IP blocking the /login page?
Contemplate if it's still useful to enable IP blocking per users if the /login page is already blocked via content.
Let's paint a scenario. A user is out of office/on holiday/at a meeting in a restaurant, they need him ASAP, to fix things. The /login page is IP blocked with the Office IP.
So, you connect to the Office VPN, and connect to the /login page. No need for the office.
You can implemented a wide variety of security for this, it's just how secure you want it. The current security implementation makes it highly secure.
After user feedback, with the v1, we will see if the demand for further security implementation is wanted.
To he honest, I'll probably want to implement all of the security implementations you can think of. To make it a highly interesting products for companies/governments/..., with high security demands.
Groups
The EuroCMS groups.
| group_id | domain_id | user_id | name | pretty_name | pword | role | users_ids | user_lock | status | |
|---|---|---|---|---|---|---|---|---|---|---|
| 1 | 1 | 1 | edev | ECMS Developers | {hash} | edev@eurobytes.eu | EdiThors | 3,5 | 1 | enabled |
| 2 | 1 | 1 | administrators | Admin | {hash} | admins@eurobytes.eu | AdminStars | 2 | 1 | enabled |
Roles
A role can have preset R/W settings for a specific ECMS components.
| role_id | domain_id | user_id | group_id | name | short_description | modules | permissions_id | Hierarchy/ChainOfCommand? | user_lock | status |
|---|---|---|---|---|---|---|---|---|---|---|
| 1 | 1 | 1 | 1 | owner | The owner of this EuroCMS installation | all | all | 1 | 1 | enabled |
| 2 | 1 | 1 | 1 | EdiThors | The editor roles | users,editor,files,analytics,widgets | 1,2,3,5,6 | 2 | null | enabled |
| 3 | 1 | 1 | 1 | AdminStars | The domain administrator users | users,editor,files,analytics,widgets | 1,2,3,4,5 | 3 | null | enabled |
| 4 | 1 | 1 | 1 | ecli | The ECLI users | updates,maintenance | 1,2,3,4,5 | 2 | null | enabled |
Permissions
The permissions/features are the features that the module has made available.
SELECT * FROM permissions WHERE component_name = 'users' AND permission_id in (1,2,3,5,6);
| permission_id | domain_id | user_id | group_id | component_type | component_name | permission_name | short_description | user_lock | status |
|---|---|---|---|---|---|---|---|---|---|
| 1 | 1 | 1 | 1 | module | users | users_add | The ability to add users | null | enabled |
| 2 | 1 | 1 | 1 | module | users | users_delete | The ability to delete users | null | enabled |
| 3 | 1 | 1 | 1 | module | users | users_mfa | The ability to modify existing users | null | enabled |
| 4 | 1 | 1 | 1 | module | files | users_modify | The ability to setup MFA | null | enabled |
| 5 | 1 | 1 | 1 | module | files | files_upload | The ability to upload files. | null | enabled |
| 6 | 1 | 1 | 1 | module | themes | theme_add | The ability to add themes | null | enabled |
| 7 | 1 | 1 | 1 | module | content | content_add | The ability to add content | null | enabled |
| 8 | 1 | 1 | 1 | module | content | content_delete | The ability to delete content | null | enabled |
| 9 | 1 | 1 | 1 | module | content | content_modify | The ability to modify existing content | null | enabled |
| 10 | 1 | 1 | 1 | module | content | content_ip | The ability to IP protect a content | null | enabled |
| 11 | 1 | 1 | 1 | module | content | content_ajax | The ability to add AJAX content | null | enabled |
| 12 | 1 | 1 | 1 | module | content | content_object | The ability to add auto generated files from variables(robots.txt/sitemap.xml/contribute.json) | null | enabled |
Users module permissions list
| name | description | ... | ... | ... |
|---|---|---|---|---|
| users_add | The ability to add users | |||
| users_delete | The ability to delete users | |||
| users_modify | The ability to modify users | |||
| users_mfa | The ability to setup MFA | |||
| users_history | Display the actions of users(the actions displayed in the analytics table) | |||
| users_info_permissions | Display the users permission list. | |||
| users_roles | Manage users roles | |||
| users_permissions | Manage roles permissions list |
Access Control List
Think about using a PHP constant for this?
$acl_base = array(
"components" => array()
);
// user logged in,
// Get the users permission...
$acl_add = array(
"components" => array(
"modules" => array(
"Users" => array("users_add","users_delete"),
"Files" => array()
),
"themes" => array("W3schools"),
)
);
$acl = array_merge($acl_base, $acl_add);
print_r($acl);
output of the above code:
Array
(
[components] => Array
(
[modules] => Array
(
[Users] => Array
(
[0] => users_add
[1] => users_delete
)
[Files] => Array
(
)
)
[themes] => Array
(
[0] => W3schools
)
)
)