Use LiveUser for authentication and permission management with the Zend Framework

October 6, 2006

Tutorials, Zend Framework

h2. Introduction

When building a web site or application there comes a moment when you will most likely need to implement access restrictions. Two parts come in to play, first there is authentication (ususally implemented as username/password combination) and then authorization (or permission) to make sure a user is allowed to do what he is trying to do.

LiveUser provides you with a framework to make it easy to implement both aspects. It has a container approach giving a lot of flexibility in writing your own schemes if the bundled ones do not meet your needs. All containers use a unified API that makes switching between containers as painless as possible.

We will see one way to integrate the Zend Framework Controller with LiveUser.

We will build a simple application, the backend to manage a list of concerts. The basic theory is that every page requires the user to be authenticated, this postulates makes it easy to write the associated code.

Diferrent complexity levels existing for permissions. The following list should help you choose. An important thing to note, since all containers use the same API switching between levels does not require you to change your code !

Simple

* Users
* Rights
* Rights asigned to users

Medium

* what Simple offers plus
* Groups
* Rights asigned to groups

Complex

* what Medium offers plus
* Implied rights
* Levels of rights (to limit access based on ownership)

h2. Install LiveUser

Prior to anything we need to install LiveUser. Having a working pear installer is the first step, running PHP 5.1+ makes that really easy

* dowload “http://pear.php.net/go-pear.phar”:http://pear.php.net/go-pear.phar
* php go-pear.phar
* follow the instructions, you now have the pear installer available

Now we can install LiveUser with its dependencies

pear install -a liveuser

h2. Getting Started

To get right into the topic we need to do a bit of setting up. We will use the database drivers for both authentication and permission management.

h3. Create the DB

There are two ways to go about this

Bundled with LiveUser is a script using MDB2_Schema to create a database for many different RDBMS. Simply use the install.php script which is located in PEAR_DATA_DIRECTORY/LiveUser/misc/schema (you can find what directory it is issuing pear config-show).

You will find a MySQL dump for convenience at the following URL.

“http://www.limbourg.com/arnaud/code/devzone/liveuser_zf.sql”:http://www.limbourg.com/arnaud/code/devzone/liveuser_zf.sql

h3. Set up the configuration

You can use the following stripped down version of the configuration array LiveUser expects. Just change the DSN to access the database. Please note there are two DSN to change since authentication and permissions are managed separatly.


 $users_conf =
    array(
        'debug' => true,
        'session'  => array(
            'name'     => 'PHPSESSION',
            'varname'  => 'ludata'
        ),
        'authContainers' => array(
            'DB' => array(
                'type'          => 'PDO',
                'storage' => array(
                    'dbc' => $pdo,
                    'passwordEncryptionMode'=> 'md5',
                    'alias' => array(
                      'auth_user_id' => 'authUserId'
                        )
                    ),
                )
            ),
        'permContainer' => array(
            'type' => 'Simple',
            'storage' => array(
                 'PDO' => array(
                     'dbc' => $pdo,
                 ),
        ),
    )
 );

The full configuration array can be much bigger. You can specify custom table and fields names to help migrate existing databases, set specific cookie timeout, rememberMe cookie, etc).

h2. LiveUser usage in the framework

h3. Authentication for every page

The authentication check will be implemented into the main index.php file.


 $liveuser = LiveUser::factory($users_conf);

 if (!$liveuser->init()) {
    echo 'cannot initialize liveuser, show the reason(s)';
    var_dump($liveuser->getErrors());
    exit(1);
 }

 $username = (array_key_exists('username', $_POST)) ? $_POST['username'] : null;

 if (is_null($username) == false) {
    $password = (array_key_exists('passwd', $_POST)) ? $_POST['passwd'] : null;
    $liveuser->login($username, $password);

    switch ($liveuser->getStatus()) {
        case LIVEUSER_STATUS_AUTHFAILED:
            echo 'Cannot authenticate user wrong username/password';
            break;
        case LIVEUSER_STATUS_OK:
            break;
        default:
            if (DEV) {
                echo 'Error during authentication';
                var_dump($liveuser);
                exit();
            } else {
                echo 'An error occurred';
                exit();
            }
    }
 }
 // extra code

 Zend::register('user', $liveuser);

h3. Permission checks in the controller

I like to put the permission checks in every action that needs it, it reduces the magic of “How come it tells me I cannot do that when I cannot see any check in the controller !”.

Before going on checking the right on a user you need to generate the mapping between the rights ids in the database and a readable name (unless you are sure you know what right id 354 is :). That mapping can take two forms, either as constants definitions or an array.

To generate this file you need to call the outputRightsConstants() on a LiveUser admin object.


 // define a right constant
 define('TEST', '1');

Once the file is generated you can go on.


 // in every controller action that needs to do some right checking so something like the following

    public function indexAction()
    {
        $user = Zend::registry('user');
        if ($user->checkRight(TEST)) {
            echo 'Congratulations you have the right ! logout';
        } else {
            echo 'You do not have this right logout';
        }
    }

Setting up LiveUser can be the most daunting task, especially when it does not work right out of the box. An important feature is the _debug_ parameter in the configuration. All errors will be logged to a separate window (allow popups if you need !) hopefully giving you all the information you need to fix any issue. Once this is done usage is pretty straightforward.

You can download the code from “http://www.limbourg.com/arnaud/code/devzone/liveuser_devzone.zip”:http://www.limbourg.com/arnaud/code/devzone/liveuser_devzone.zip

Please not this is one way to do it, there are others.

h2. Notes

* LiveUser is not E_STRICT compatible at the time of writing. One thing to note is that E_STRICT differs between PHP versions
* There is no “official” GUI to manage the users. A good project could be to write one using the ZF :)
* Bundled with LiveUser are containers for PEAR::DB, PEAR::MDB, PEAR::MDB2 and PDO (PHP5 only). Liveuser container approach makes it fairly easy to write a soap or ldap backend, do not hesitate to contribute)

2 Responses to “Use LiveUser for authentication and permission management with the Zend Framework”

  1. bubu3k Says:

    http://forum.myflashxml.it/packages-f58/gestione-utenti-con-liveuser-t71475.html

    here i am making a full working example of liveuser and liveuser _admin

    please help

  2. miwiki Says:

    check http://code.google.com/p/liveuseradminflex/ as the fresh, simple GUI for the management of liveuser.