Authorization: The Idea
A Smalldb state machine performs operations only when a transition is invoked. So the control what a user can do is reduced to what transitions he can invoke. When the user is not allowed to invoke a transition, it is as the given arrow is missing in the state diagram.
The state machine definition contains rules specifying who can invoke a transition, and each transition has one of these rules assigned. The rule can refer to user’s role or his relation to another entity (to express ownership or similar features).
Since the whole security model is defined in one place, it is relatively easy to verify the correctness of the application’s security model. Also, the rules can be visualized in the state diagram, making the verification even easier.
Controllers and views can check the availability of relevant transitions to hide parts of a user interface, which would invoke unavailable transitions. But it is only a matter of usability and aesthetics because even if the user interface is available to the unprivileged user, the permissions are always verified at the state machine (model) level, and the user is not allowed to do anything he is not supposed to.
The following diagram shows an article state machine with two user roles. An author is allowed (hollow blue arrows) to write and submit an article. An editor is allowed (filled red arrows) to return the article to the author or reject/accept it for publishing. Once the article is in “Published”, “Rejected”, or “Waiting” state the author cannot do anything with it because no blue arrows are leading from these states (and the author does not see the red arrows).
Note that while the editor is defined using a simple role-based condition, the authorship is a relation between a particular article and its author. The “Create” transition is available to all users (black arrow) because there is no author to a non-existent article.
From a perspective of formal analysis, the otherwise tiresome properties, like state reachability or liveness of a state machine, are much more interesting when access control is in play. We can use these properties to make sure users would not get stuck somewhere, and they can reach their goals.
Fluent Calculus and Permission Model in SQL
Integration with Symfony
See also …