Are BizRules (Business Rules) in RBAC really safe?
The idea of BizRules in RBAC (Role Based Access Control) makes me feel sick. It is basically a way to define a script to run against data during authorization.
For example, Yii framework supports it: http://www.yiiframework.com/doc/api/1.1/CAuthManager#createRole-detail
public CAuthItem createRole(string $name, string $description='', string $bizRule=NULL, mixed $data=NULL)
Here's the source code for executing a business rule:
/**
* Execute开发者_StackOverflow中文版s the specified business rule.
* @param string $bizRule the business rule to be executed.
* @param array $params parameters passed to {@link IAuthManager::checkAccess}.
* @param mixed $data additional data associated with the authorization item or assignment.
* @return boolean whether the business rule returns true.
* If the business rule is empty, it will still return true.
*/
public function executeBizRule($bizRule,$params,$data)
{
return $bizRule==='' || $bizRule===null || ($this->showErrors ? eval($bizRule)!=0 : @eval($bizRule)!=0);
}
So, you can do things like:
// Assume this bizRule: $bizRule='return Yii::app()->user->id==$params["post"]->authID;';
Yii::app()->user->checkAccess('createUser', array('post' => $post));
It basically evals the bizRule having the $params set to the given array in its context.
I don't like those business rules in terms of security. Is there a better way of doing it?
Maybe it will help somebody, if you have php 5.3 I think you can use LambdaFunctions
$bizRule = function ($param) { return $param[1] = $param[2]};
精彩评论