Jump to content

role based access and the problem of the owner


koen

Recommended Posts

There's one thing I can't fit in a role based system: the owner of a domain/resource/object/whatever-name-for-the-area-under-control. Normally you'd assign a role or roles to a user, then somewhere in your code you ask the ACL system whether the user can do X on Y. Eg $acl -> userAllowed('edit', 'post'). But what about things where a role doesn't really fit, eg a profile. Every user has a profile, and only the user that owns the profile can modify it (or the administrator and optionally some roles).

 

Clearly you can't set a rule like $acl -> allow('registered_users', 'edit', profile). That would many any registered user can edit the profile of any other registered user. Also a rule like $acl -> allow('userID25', 'edit', 'profile25') would't really be practical.

 

Ideally you'd have a rule like $acl -> allow('self', 'edit', 'profile'). But how could that be implemented (in the DB and asking for authorization with userAllowed())?

Link to comment
Share on other sites

A possibility is to demand an author for every area under control (auc).

 

Eg:

 

interface auc_interface {

 

function getComponentID() {}

 

function getAuthor() {}

 

}

 

Then the acl can check if the author is the same as the user the acl was created for and if there's a match the 'self' role comes in to play. A rule like $acl -> allow('self', 'profile', 'edit') would then make sense. The only thing that's a bit awkward is to have an author for every auc.

Link to comment
Share on other sites

I don't think it's practical to use an ACL system for every single possible permission in a system; rather I think ACL is best used for general categories of items.  At some point in a complex application, determining if an object can or can not perform a task requires more logic than a yes / no check.  At that point you have two options: try and coerce your existing ACL system to do things it wasn't intended ~OR~ conjure up a simple logic language of your own to build into your current system.  Option one can become cumbersome if done incorrectly and option two is already supported via regular PHP code.

 

Just my $.02

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.