You'd never think a guy could write so much about a blog application but to date after 6 parts we have covered a mass of detail from initial setup of our project's directory structure to Authentication of users. To date the feedback has been overwhelmingly positive to this series and I'm presently collecting comments regarding improvements for later inclusion.

Today's entry concerns authorisation. We previously covered how to authenticate an author to the blog, but we still have nothing ensuring only authenticated authors can access the new Administration Module. This is the domain of Zend_Acl, an implementation of an Access Control List system which limits access to resources by the roles assigned to a user.

In the final section of this entry, we take a small detour into the world of CSS (which rarely works out for me ) where I'll apply some small changes to our Layouts and add two new stylesheets. Once these are added, our infant blog application will look slightly more presentable than it's current nakedness.

Step 1: Understanding Access Control Lists (ACL)

It can be a bit confusing to face off against ACL if you're new to the subject. In essence all ACL does is keep track of resources and roles.

As to what a resource is, it is anything to which access can be allowed or denied. For our blog application, I could decide that the Administration Module is itself one resource. From there I can restrict all access to that entire Module, including all it's Controller classes and Action methods (which are part of that single Resource). Or perhaps I could determine that only one Action method in the whole Module is a specific Resource, bearing in mind that Resources are nestable (i.e. a basket is a Resource, and each egg it holds are also discrete Resources). Since each Resource can be given differing access rules, you can globally prevent non-author users from accessing the Administration Module, but maybe allow some registered users access to specific Actions in that Module as an exception to the global rule.

A lot of the time managing global rules, and then applying exception rules, is how ACL works in practice.

Explaining a Role is even simpler. Any visitor to the application can be assigned a Role which ACL rules may use to define that user's access to Resources. Typically the first Role everyone will receive is "guest". From there you can escalate Roles to offer a visitors a greater degree of access to Resources. Any user can be given multiple Roles even. For example, if an author visits the blog they start with the role of "guest" but after authentication we might grant them the additional role of "author". If Roles dictate specific but limited responsibilities (perhaps there's an "author" and "editor" Roles) you might decide to start tracking roles more elaborately, in a database possibly.

Going a bit further, if our Administration Module is a Resource called "admin" then we can decide that the only Role with access to it will be the "author" Role. Since our user has been authenticated and granted the "author" Role (either post-authentication or permanently recorded on the database), they can access the Administration Module.

Finally is the concept of Privileges. Just because you can access a Resource, does not instantly mean you should have total uncontrolled access to it. You can limit control over a Resource using Privileges. Perhaps an Author can access the Admin Module (represented by an Admin Resource) but we want to deny Authors the privilege of deleting entries from the database.

Step 2: A Little Planning Goes A Long Way

Before we leap into the fray like a demented action hero, let's set out exactly what we're aiming for.

Since our blog is a relatively simple application, we really only need two Roles to start with. We'll call these guest and author. This may change in the future, perhaps we could allow for multiple Authors but one Editor capable of editing all posts. In that case we'd need to pick apart how that's implemented. But for now, two Roles is just fine.

As for Resources, the first is the public facing facade of our application where entries are displayed, logins performed, and comments made. The second is the Administration Module. Again, we could be more elaborate but let's not overcomplicate the application until we're forced to . This suggests we only have two Resources: the Default Module and the Administration Module. Remember that the Default Module comprises everything not assigned

Truncated by Planet PHP, read more at the original (another 59382 bytes)

Against all odds, I found myself with a little spare time this week. Rather than do something sensible like clean the garage or get some exercise, I took the opportunity to learn a new programming language: Python.

Like may SitePoint readers, I cut my teeth on PHP. I’ve become very comfortable with it over the years, warts and all. PHP continues to be a dependable choice, but PHP hasn’t changed a whole lot lately. Meanwhile, the kinds of applications I’ve been working on have been growing dramatically in both size and complexity.

Python has a lot in common with PHP: it’s a dynamically typed, open source scripting language with excellent documentation and a thriving community around it. Both languages are also a little quirky when it comes to their handling of Unicode text.

Unlike PHP, Python wasn’t originally designed as a language for Web development—it’s a general programming language that just happens to have some excellent libraries and frameworks for building web sites, like Django. This may sound like an argument against Python, but it turns out that when you start writing bigger web applications, most of your code has nothing to do with HTML, and PHP’s HTML-friendly features just seem to get in the way.

Enough Hand-waving! What’s The Code Like?

Let’s look at some of the neat features of Python code.

The most distinguishing feature of Python code is the lack of braces or other delimiters around code blocks. Instead, Python uses the indenting of your code to indicate blocks:

print "Let's count to ten!"
for i in range(10):
  number = i + 1
  print number
print "All done!"

The above code includes a for loop that will run ten times. The two lines following the for statement are indented to indicate they’re within the for loop. The last line isn’t indented, so Python knows the for loop is finished.

At first it feels frighteningly fragile to trust indentation to describe the structure of your code; but once you get used to it, you’ll notice that your code looks less cluttered. Even better, you’ll find it easier to read Python code written by others, because developers are forced to indent their code neatly and consistently.

Python has a number of convenient, little features that make common tasks less cumbersome than in other languages. Take multiple assignment, for example, which lets you avoid creating temporary variables:

a = 1
b = 2
print a, b     # prints '1 2'
a, b = b, a+b
print a, b     # prints '2 3'

Python also has a number of slick features for dealing with what it calls sequences. These let you split and combine lists (the equivalent of PHP arrays) and text strings using simple, consistent syntax, instead of having to remember obscure function names for each.

Python’s list comprehensions let you quickly build complex lists out of simple lists with a minimum of code. They’re a little hard to understand at first glance, but they quickly become indispensable:

me = 'Kevin Yank'
range(5)                                 # [0, 1, 2, 3, 4]
[me[x] for x in range(5)]                # ['K', 'e', 'v', 'i', 'n']
[x for x in range(10) if x % 2 == 0]     # [0, 2, 4, 6, 8]
[me[x] for x in range(10) if x % 2 == 0] # ['K', 'v', 'n', 'Y', 'n']

But all that syntactic sugar aside, the biggest feature of Python that I appreciate after years of coding PHP is its sensible system of modules and packages for organizing code into multiple files. In PHP, when one script includes (or requires) another script, it runs the risk of having its own variable, function, and class names clobbered by the script that it is including.

Python automatically sets up a separate namespace for each file (called a module) that your program imports, so that naming conflicts are naturally avoided. This frees you up to choose shorter, more natural names (especially for classes in big projects), while at the same time forcing you to give more thought to the structure of your code.

Where to Begin?

There is little sense in learning a new language unless you have a reason to use it. For the past couple of years, that reason for many web developers has been Django. The best place to start, therefore, is probably SitePoint’s Django Djumpstart article.

More recently, a lot of developers are taking renewed interest in Python because it is the development language for Google App Engine. It’s worth

Truncated by Planet PHP, read more at the original (another 799 bytes)

So it seems that Sun has made it clear that the core product will remain open source. Of course the definition of what is core and what isn't is up to Sun/MySQL to decide, but it seems that overall more things will be released as open source than if MySQL would have gone through with its planned IPO. So this is a good thing. Speaking of non core products, I really like what Mike and his team are doing in the GUI department with the workbench and their other GUI tools. However since Sun is friendly to PostgreSQL and actually also distributes SQLite (its bundled with Solaris after all), I wonder if they are considering making their tools more and more portable across other RDBMS?

Rasmus already posted on his blog (with a great summary), so I won't bother rehashing everything, but I'm going to add a few things to his description as this is a product feature I've been closely involved with. Go read his description, then come on back... Done? okay...

Kinda cool, eh? One of the nice things about this (and I really need to emphasize this fact) is that it encourages site owners to provide more machine readable data on their sites via microformats and other feeds. In the short term this is good for Yahoo! since we're already setup to consume and use this data, but in the long term it's good for everyone. Other search engines get more data to give you better results, but more importantly all walk of app developers get richer, fuller access to meaningful data without having to write awkward page scrapers. The web just got a little more open.

Okay, I'll put the pom-poms down...

As Rasmus mentioned, you John Q. Developer, get to decide what data gets used and how it gets used. With the addition of all this new semantic data you can just walk through Yahoo's massive index (getting bigger thanks to microformats), but you can call out to external data sources too (yes, there are measures in place to limit baddies from DOSing innocents with Y! bandwidth).

Once you've got data, you get to write real code using a proper turing complete language, not yet-another-macro-language-that-lacks-proper-control-structures. Of course, it's not ALL of stock PHP. Again, we're not going to let you use Y! servers to hurt innocent users. Stop thinking bad thoughts... Okay thinking bad thoughts is fine, just don't act on 'em.

The best part is, it's my team that's been working on (part of) this. We can't take all the credit as there have been a lot of moving pieces, and I'll gladly share the blame with someone else (that's what product managers are for). I'm certain that bug you just found on the alpha version was introduced while I was on vacation. No no... it must have been the other Sara(h) working on that piece. WHY ARE YOU CHECKING THE CVS COMMIT LOG??? SOMEONE STOLE MY PASSWORD! I SWEAR!

Excited yet? Then you're a bit of a geek, go find a (boy|girl)friend... Can't find a snuggle-buddy? Live in the SF Bay Area? Come to the developer event and launch party! (it's not just a soiré, it's an event) I'll be there, and I'm worth it all on my own! Right? right...? Ooo?

Some of you may know that I am a lead developer of the pear Date_Holidays package.

Date_Holidays helps you calculate the dates and titles of holidays and other special celebrations. This is all driver-based so it is easy to add new drivers that calculate a country’s holidays.
Until recently all of these drivers for individual countries were grouped together into one package.

We decided that this one package should be split into subpackages: one subpackage per region/country. Some advantages of this approach are that each driver / filter / subpackage gets it’s own stability and version number - we wouldn’t have to keep increasing the version number of Date_Holidays each time a new driver is added or when an existing driver gets a significant number of fixes.

Therefore we now have subpackages such as Date_Holidays_Austria, Date_Holidays_Brazil etc etc.

If you want to use the new set of [sub]packages, the simplest thing to do is uninstall the package that you have installed:

$ sudo pear uninstall Date_Holidays

and then install the new package, with a group directive which will install all subpackages:

$ sudo pear install Date_Holidays#all

The prolific Michael McLauglin just sent me a copy of his other new book "Oracle Database AJAX & PHP Web Application Development", co-written with Lee Barney.

Last year I'd really wanted to extend our Oracle OpenWorld conference tutorial on PHP into this area. That didn't happen because the 2007 tutorial slots turned out to be very short. This year I'm pushing for a longer tutorial again, so the book is a welcome reminder about the topic.

I'm looking forward to reading it.

I am glad to announce the availability of the first alpha version of PDO_MYSQLND. PDO_MYSQLND is a PHP PDO driver for MySQL based on the MySQL native driver. PDO_MYSQLND 1.0.2-alpha is available for download on http://downloads.mysql.com/forge/pdo_mysqlnd_preview. Please read the announcement and check the MySQL Forge project page on PDO_MYSQLND for ...

I have a question for you: what features do you think a good PHP-centric ORM should offer?

 

Share This

Today I’m going to talk to Derick Rethans. Derick Rethans provides solutions for Internet related problems. He has contributed in a number of ways to PHP, including the mcrypt, Date and input-filter extensions, bug fixes, additions and leading the QA team. He now works as project leader for the eZ components project for eZ systems A.S. In his spare time he likes to work on Xdebug, watch movies, travel and practise photography.

In the previous entry, we created a new Administration Module to hold blog management functionality, added a Module specific layout for it, and discussed the upcoming need to ensure this is only accessible by authorised Authors. In this entry I'll unravel some of Zend_Form's mysteries in adding a login form, before using Zend_Auth to implement authentication for authors.

Previously: Part 5: Creating Models with Zend_Db and adding an Administration Module

Authentication in the Zend Framework is the domain of the Zend_Auth component, and it is really easy to use. Zend_Auth is really an abstract API to a number of components working in concert, and without the usual micromanagement of database interaction, sessions, cookies and user data persistence, it makes my life a lot simpler. Of course authentication demands a login form, and so I'll first visit using Zend_Form. Zend_Form is an interesting component because it's one of the worst to get started with. The manual, as it does for all components, does not impose a best practice to setting up forms. Mix that with the number of form organisations possible (class based, config based, view template based) and it can be very confusing.

Step 1: Adding a Login Action and View

Before we actually perform authentication, we need a login form. I've decided to attach all Author account actions to an Author Controller. Add a new file called AuthorController.php in /application/controllers/ containing the following:



The logout action for the moment does nothing, but forwards /author/logout requests to the main index, just as I would intend to occur after a real logout.

We'll also add a matching template at /application/views/scripts/author/login.phtml:



Nothing major here, except for a mysterious reference to a view variable, $loginForm!

Step 2: Creating a Login form with Zend_Form

Zend_Form is one of the most recent additions to the Zend Framework with the release of 1.5. It's not surprising it took so long since a decent Form library is not a trivial component to get through development.

The object oriented approach to developing forms takes a bit of getting used to but it works wonders for simple forms that don't need a heavy design hand. I suppose from my own perspective it was design over functionality that first struck me as problematic when I started using Zend_Form but I think I'm over that learning curve, so let's see how this look at a simple two field login form goes .

I've deliberately selected a preferred form style to adhere to so this will necessitate customising Zend_Form options and decorators. It's standard based, tableless, composed of semantic markup, and still looks okay without CSS styling or when using a screenr

Truncated by Planet PHP, read more at the original (another 71795 bytes)