Access Control and RBAC (Roles Based Access Control) In PHP Hybrid (procedural and OOO) application

Question

I have this PHP Hybrid (procedural and OOP) application that i would like to create an RBAC for.

I can create the database tables (permissions, roles, users etc.), I can also find a lot of articles about the subject online but they all seem to be missing the most important part : "The resource" that we want to protect.

Zend_ACL seems ok but my application is not MVC framework based.

Question 1 I am wondering if the zend_acl is loosely coupled enough to use even though my entire application is not object based.

Question 2 How do i define the resources when the entire application is not object-based ?

Question 3 Is there any good non-obsolete whitepaper out there that could allow me to create a role based system when dealing with an heterogeneous (procedural and OOP) system?

Thanks Again

Answer 1

"Resources" are just a very generic, abstract thing, in practice it can be anything. In a well-structured MVC architecture this resource usually corresponds to class/method names, which in turn correspond to URLs. That's just as arbitrary as anything else though. Even in purely procedural PHP, you can arbitrarily define resources:

$resource = 'root.foo.bar';
$user     = getCurrentUser();

if (!isAllowedToAccess($user, $resource)) {
    exit;
}

// do something that represents root.foo.bar

Keeping track of which of your code represents actions on what resource is harder without a good OO structure, but by no means impossible. You may simply go by file name of scripts, if those are well organized.

I can't say anything specifically about Zend_ACL , but I'd be surprised if it was hardwired to OO concepts.