The EuroCMS Access Control structure
There are 2 Access Control structures availabe. 1 for Components and 1 for accounts. Logged in users and such.
The Components Access Control structure
Is for the EuroCMS components that want to access different types of components and or code codes
So, lets say for example that a disqus comment box widget, for the front end of the websites, wants to access the database. That is weird, because it uses JS and external data for the comments. So that is pretty fishy.
If that widget wants to query it database, it can only do so by using the database class, and every component is defined in such a way, that the database class, can autodetect, who is calling him.
If the query is not legit, or it has no permission to that database class, it will output a permission denied message.
If the widget has requested access to the database class, and the users installed said widget, and reviewed requested permission carefully, it will not have any problems.
But, if the widget makes a query, that it not request permission for, it will deny the access again.
Another example, if the Files module want to modify anything in the users db, that is not allowed. Unless permission have been granted to do so.
The Accounts Access Control structure
The components you have access to, are defined in roles, in the users table, your role can be editor, for example.
In the roles db table, their is a listing of components the editor role has access to.
And in the features db table, the component features you have access to.
For example, you are a user, that has the editor role, in the admin nav menu, are the components you have access to defined in the roles db table.
You click on the /users link, and then, the features db table is queried on which features you have access to. So, for example, if you have the users_add feature, you can add users. If that's all you have, that is all you'll get.
By default everything is denied.
The general flow of the EuroCMS Access Control structure is a followed:
- Users
Check if the user exists in the specific domain
- Roles
Users exists, and is logged in, now check the roles, then display the modules and widgets in the admin navigational menu.
- Features
The user sees the admin dashboard, he clicks on the link. By default he only has read only view. So, no other 'button' is available to him.
So, when the /users link is clicked, it will check which features it is allowed to use in the users module. For example: add, delete modify features.
Users
The users db table structure, with only the relevant security rows displayed
| user_id | group_id | domain_id | pword | role | ip_allow | MFA_method | token | reg_date | act_date | status | |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | 1 | 1 | imri@eurobytes.nl | ENCRYPTED_PWORD | owner | 127.0.0.1 | SHA512 | {DATE} | {DATE} | enabled | |
| 2 | 1 | 1 | fyodor@dostoevsky.ru | ENCRYPTED_PWORD | editor | 127.0.0.1 | sms | SHA512 | {DATE} | {DATE} | enabled |
| 3 | 1 | 1 | franz@kafka.de | ENCRYPTED_PWORD | editor | 127.0.0.1 | questions | SHA512 | {DATE} | {DATE} | enabled |
If the user is created, a temporary token is generated, which will be e-mailed to the users e-mail. For activation, they can add the token when they first login in.
enable: Location-based authentication
After that, they can choose to disable the second factor e-mail verification method.
Groups
The group db table structure
| group_id | group_id | domain_id | name | short_description | role | reg_date | act_date | status | |
|---|---|---|---|---|---|---|---|---|---|
| 1 | 1 | 1 | admins | admins@eurobytes.eu | The admins | admin | {DATE} | {DATE} | enabled |
| 2 | 1 | 1 | EdiThors | editors@eurobytes.eu | The EdiThors | editor | {DATE} | {DATE} | enabled |
| 3 | 1 | 1 | themes | files@eurobytes.eu | The ThemesMan | themes | {DATE} | {DATE} | enabled |
Domain Based
Also by default is the Domain based Access Control list. The Roles and permissions are set per domain name that is installed.
Role Based
db structure
| role_id | domain_id | user_id | group_id | name | short_description | components | modules | themes | widgets |
|---|---|---|---|---|---|---|---|---|---|
| 1 | 1 | 1 | 1 | Editor | The EdiThors | modules,widgets,themes | admin,users,editor | Skeleton,W3schools | NavMenu,NewUbuntuRelease |
Feature Based
The db structure of all the features available. New features can be registered by the Modules, Themes and Widgets.
| feature_id | domain_id | user_id | group_id | name | short_description | component_type | component_owner |
|---|---|---|---|---|---|---|---|
| 1 | 1 | 2 | 1 | users_add | The ability to add users | module | users |
| 2 | 1 | 2 | 1 | users_delete | The ability to delete users | module | users |
| 3 | 1 | 2 | 1 | users_modify | The ability to modify users | module | users |
| 4 | 1 | 2 | 1 | users_mfa | The ability to add multy factor authenticaiton for users | module | users |
| 5 | 1 | 2 | 1 | editor_write | The ability to write content | module | EuroEditor |
| 6 | 1 | 2 | 1 | editor_delete | The ability to delete content | module | EuroEditor |
| 7 | 1 | 2 | 1 | editor_modify | The ability to modify content | module | EuroEditor |
| 8 | 1 | 2 | 1 | editor_publish | The ability to publish content | module | EuroEditor |
| 9 | 1 | 2 | 1 | themes_install | The ability to Install themes | themes | Skeleton |
| 10 | 1 | 2 | 1 | themes_remove | The ability to remove themes | themes | Skeleton |
| 11 | 1 | 2 | 1 | themes_modify | The ability to modify themes | themes | Skeleton |
Reference
- https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
- https://csrc.nist.gov/CSRC/media/Publications/conference-paper/1992/10/13/role-based-access-controls/documents/ferraiolo-kuhn-92.pdf
- https://en.wikipedia.org/wiki/Role-based_access_control
- https://www.developer.com/open-source/creating-a-custom-acl-in-php/
- https://stackoverflow.com/a/4415733
- https://www.codementor.io/@geggleto/php-psr-7-acl-package-d0g72j59c
- https://www.openproject.org/docs/system-admin-guide/users-permissions/