koen Posted November 26, 2007 Share Posted November 26, 2007 There's one thing I can't fit in a role based system: the owner of a domain/resource/object/whatever-name-for-the-area-under-control. Normally you'd assign a role or roles to a user, then somewhere in your code you ask the ACL system whether the user can do X on Y. Eg $acl -> userAllowed('edit', 'post'). But what about things where a role doesn't really fit, eg a profile. Every user has a profile, and only the user that owns the profile can modify it (or the administrator and optionally some roles). Clearly you can't set a rule like $acl -> allow('registered_users', 'edit', profile). That would many any registered user can edit the profile of any other registered user. Also a rule like $acl -> allow('userID25', 'edit', 'profile25') would't really be practical. Ideally you'd have a rule like $acl -> allow('self', 'edit', 'profile'). But how could that be implemented (in the DB and asking for authorization with userAllowed())? Quote Link to comment Share on other sites More sharing options...
koen Posted November 26, 2007 Author Share Posted November 26, 2007 A possibility is to demand an author for every area under control (auc). Eg: interface auc_interface { function getComponentID() {} function getAuthor() {} } Then the acl can check if the author is the same as the user the acl was created for and if there's a match the 'self' role comes in to play. A rule like $acl -> allow('self', 'profile', 'edit') would then make sense. The only thing that's a bit awkward is to have an author for every auc. Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted November 27, 2007 Share Posted November 27, 2007 I don't think it's practical to use an ACL system for every single possible permission in a system; rather I think ACL is best used for general categories of items. At some point in a complex application, determining if an object can or can not perform a task requires more logic than a yes / no check. At that point you have two options: try and coerce your existing ACL system to do things it wasn't intended ~OR~ conjure up a simple logic language of your own to build into your current system. Option one can become cumbersome if done incorrectly and option two is already supported via regular PHP code. Just my $.02 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.