Cubi Access Control (ACL)

Cubi will extend the existing Openbiz access control approach by allowing administrator the manage role access to system resources. The following chapter outlines how ACL is managed in Cubi.

Basic ideas: define how a role can access application resource.

1. Define resource and its actions
In each module, it can have mod.xml under the module root directory. In mod.xml, there can be a "ACL" section which can have multiple resources. Each resource can have more than 1 actions. For example,
<ACL>
<Resource Name="User">
<Action Name="Administer_Users" Description="Administration of users"/>

2. Link Access resource action to Object
In each Openbiz object, developer can set Access attribute to certain resource action. For example,
<EasyView Name="UserListView"... Access="User.Administer_User">
gives the administer user access to the system.view.UserListView

3. Assign Role permission to resource action
In the role detail page, user can pick "Allow" or "Deny" to all available resource actions. Say, we give role "member" a "Deny" to User.Administer_User. Then when a user with member role tries to access the RoleListView, an access deny page will shown to the user.

Access attribute can be given to View, Form, Element, DataObj.

Cubi Menu module (1)

Menu plays a key role in any application. Not only it helps user to navigation the application, it also help to organize content.

Generally Menu can be classified into 2 types:

• Static menu. Menu items are hard-coded in page, template, metadata files or source code. User cannot change the menu in the application.
  
• Dynamic menu. Menu is generated from the database and user can configure menu in the application.
  

Static menu is simple and widely used in most applications where navigation in the application is designed in the product. While dynamic menu is commonly used in content rich systems (like CMS, forum ...) where the site administrator can configure menu to let user to navigate into growing content.

Cubi is going to support both static and dynamic menus. In Cubi first release, static menu will be supported. In Openbiz 2.4, there are 3 different types of navigation components.

• Tab. Include top-level application tab and in page tab (2nd level)
• Menu. It support pull down menu up to 3 levels
• Tree. It organize menu items in tree style

All 3 of components are currently have their own metadata even though they are telling the same things internally. In Cubi, we will have a separate Menu module. It is featured with

1. Same metadata for tab, menu and tree.
   
2. Different template to render tab, menu or tree.
3. Have "Application tab" and "Admin menu" for Cubi to use.

Menu metadata can use the one in openbiz baseapp.

<menu Name="" Class="" TemplateEngine="PHP" TemplateFile="">
<menuitem url="" target="" text="a" icon="a.gif">
    <menuitem url="" target="" text="a1" icon="a1.gif">

Add more security on the server actions

Openbiz framework makes it open for browser client to invoke the server object method through Ajax call. Of course, developers can add rules to protect different actions (e.g. use UpdateCondition and DeleteCondition in 2.3 and use ACL control in Cubi), people may want to have some easier approach to filter out unsafe actions triggered from the browser.

Here is the proposal for so called "safe actions filter" on Openbiz 2.4. This will be released in the 2.4 SVN before Feb.

First, only Form object method calls from browser are allowed. Other objects method calls are blocked by the controller.

Second, EadyForm class will have a new method
public function getMethodsWhiteList()
This method returns a list of methods that are exposed to browser client. By default EasyForm will compose the list with:

• All methods that are defined in the form metadata EventHandlers. Say you have 2 EventHandlers of 2 button elements on user.AccountForm. They link to methods "editAccount" and "resetPassword". Then only these 2 methods are in the white list.
  
• Some safe methods like "selectRecord" which is usually not linking to a event handler.

When an server action is invoked (through Ajax for example), the controller will check if the target object is a form object, then check if the called method is in the white list. This approach will give more security on the server side logic.

getMethodsWhiteList() can be overrided by your any form class to implement custom logic.

Cubi - PHP Applicaiton Platform

Cubi is a php application platform. It is actually a application built on Openbiz. The goal of Cubi is to provide commonly used functionality in a platform level. It will boost the productivity of Openbiz-based application development.

Cubi 0.1 is planned to release on Feb 2010. It will include the following features.

- User management. Administer user and assign roles to user
- Role management. Administer role and assign role with ACL. Permission
control is done here by assigning Module actions to Role
- Module management. Load new module, reload module, check module
resource actions which is related to ACL
- Email queue and log
- Cronjob manager (not done yet)
- Event log manager
- New naming convention of metadata files
- Menu module. This is to manage application menus. (not started yet,
might not be in first release)

User login and my account
- User login
- Forget password and password reset email
- User registration and welcome email