ACL or Rules-Based Security for Drupal?

Events happening in the community are now at Drupal community events on www.drupal.org.
irakli's picture
Posted by irakli on February 6, 2009 at 7:26am

Joomla has announced availability of new ACL: http://is.gd/iA5B and they seem pretty excited about it. Is that something for Drupal community to be jealous of?

If you come from a Java/J2EE background the clear answer is: NO (yes, in capital letters). You have to actually suffer from a structured, strict ACL to really appreciate the simplicity of a security system like that of Drupal.

Now, you may argue that Drupal security is slightly over-simplistic and too code-oriented (makes us, the developers happy) for "business" use.

OK, but it does not have to be a "hierarchical ACL" or strings-based security. A flexible, rules-based security system may be the answer?

Zed Shaw, of the RoR world, has some very interesting things to say on the subject:
http://vimeo.com/2723800

Categories: , ,

Comments

Read this :

Posted by lilou on February 6, 2009 at 10:23am
lilou's picture

Read this : http://www.garfieldtech.com/blog/hierarchical-acls

Thanks for the article. I

Posted by irakli on February 6, 2009 at 5:00pm
irakli's picture

Thanks for the article. I must admit, I still think that the thought-process in the article leads to a classic ACL, a path that other systems (e.g. Java) have gone down and failed on. That's why I posted Zed's video - he describes very well a practical example and reasons why ACL is limited as a concept - no matter how well/poorly you implement it.

Not to start a flame-debate, but ACL for security is what strong typing is for programming languages. It brings structure that "helps" in several abstract, imaginary example cases. Alas, real life and real projects are incomparably more complex and the rigid structure (wildcards do not make it less rigid) will sooner or later lead to a dead-end, for any application except the most primitive ones.

In my experience, shared by lots of seasoned engineers I talk to, the only way to build truly flexible and human-friendly security system is to have no initial structure (so that nothing gets in your way) and allow the definition of business-oriented rules. Each use-case needs its own set of rules. Security of a module is integral part of its business logic. It's not something you slap on top of it. Each module should decide what part of it is exposed to user.

Generalizing on the level of objects and actions and hierarchies of roles has never lead to a simpler life, in my experience and I have seen more than one security implementations.

I guess my question is - a more sophisticated ACL is more powerful than less sophisticated ACL - but is ACL the right way to go, in the first place? Is it where Drupal should be heading in the long term?

I think that it is NOT. I would love to hear from people who think it is and why they think so. Examples from practical experience are most welcome.

.............................................
http://twitter.com/inadarei

Access Control

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: