[nycphp-talk] phpGACL access control

Dan Cech dcech at
Mon Aug 27 09:58:57 EDT 2007

Cliff Hirsch wrote:
> Does anyone use phpGACL? Good, bad, ugly? Alternative? Other suggestions for
> access control? This looks like an easy drop in, although the UI is wicked
> confusing.

Back in the day I actually rewrote most of the phpGACL database
structure and reskinned the 'wicked confusing' interface.  Unfortunately
the project I was planning to use it for never eventuated.

It has some definite strengths, not the least of which is that it is
seriously fast at answering questions like 'can user X perform action Y
on object Z?' due to the MPTT database structure, and the use of caching.

I dug up my tests from 2005, and on my P4 2.8 laptop with 1GB ram and a
5400rpm hdd, the average query time was 0.05s.  That is with no caching,
on a random database with 1,000 ACLs, 1,000 ACOs, 100,000 AROs, 1,000
ARO groups, 100,000 AXOs and 1,000 AXO groups.  If you want to do your
own performance testing the system ships with an included benchmarking

It isn't as quick at answering questions like 'who can perform action Y
on object Z?', 'which actions can user X perform on object Z?', or
'which objects can user X perform action Y on?'.  However, I don't know
of any quicker solution which supports the level of granularity it does.

I do believe that cakephp at least borrows some of the concepts, though
I'm not sure of that. Nate?

At the time I stopped active contribution to the project, the 2 main
things I wanted to add were:

1. The ability to support multiple 'root' ARO/AXO elements.

Currently the system requires a single 'root' node in each of these
trees.  Usually this is just a placeholder without any real use, but it
would be possible to add the ability to support multiple root nodes
which would be a neat way to partition the system and should yield a
speed increase.

2. Consolidation of the ARO and AXO system into a single tree.

Currently if you want to have permissions like 'user X can edit user Y',
you must have all your users and groups in both ARO and AXO trees.  It
would be much simpler to just have objects, groups and permissions.

If anyone were interested in implementing these features, I would be
more than happy to answer any questions.  Who knows, maybe the bug will
bite again and I'll implement them myself!


More information about the talk mailing list