A BRIEF INTRODUCTION TO APPLESEED SECURITY.


So far, Appleseed's internal security is based on what directory a user is currently viewing. Since mod_rewrite is used to hide any post variables or script names from the user, all URL's for appleseed are a directory name. This makes security settings easier to manage.

You'll notice that the userAccess table has only five important fields: Location, r, w, a, and Inheritance. The first four fields are pretty self-explanatory. The Location field is matched with the user's current location. For instance, if the user is viewing /admin/users/questions/, then calling the cUSER :: Access routine will match that directory with any records in the userAccess table to find the Read (r), Write (w), and Admin (a) capabilites of the current user.

The Read (r) field states whether a user can read the data from a certain area. The Write (w) field whether they can write changes to the database, and the Admin (a) field if they have administrator access to that area.

The interesting part is the Inheritance field. If this is set to true, then the r/w/a values will inherit down the directory heirarchy. For instance, if a user has full access to /admin/, and Inheritance is set, they also have access to /admin/users/, /admin/users/questions/ and so on. This makes setting up an administrator account simple. Log in to Appleseed, go to Admin | Users | Access, and add a record for a user with a Location of /admin/, r/w/a values of TRUE, and Inheritance set to TRUE.

The exception is if a userAccess record exists for a directory within the inherited heirarchy. This is a good way to grant administrative privileges, but still restrict a user's movement to certain areas. For instance, if you set up a secondary administrator account, but you didn't want that user to be able to modify other user's access (thus granting new admin privileges), then you could go to Admin | Users | Access, and create a record for that user with a Location of /admin/users/access/, a r/w/a value of False. Setting inheritance here will make all directories after /admin/users/access/ also inaccessible.

This early on, this security method hasn't been fully tested. However, it has provided some good groundwork to insuring that Appleseed's security is in place as it gets developed and grows into a full scale application.


  April 26, 2005 - Revision 0.1
SourceForge.net Logo