All geek questions in one place

How should I structure my resource tree in an ACL?

Using PHP and Zend_ACL, I want to create an extremely flexible permission system. I want to be able to assign permissions to all objects of a certain type, as well as instances of these objects. If you are requesting a specific instance of an object and it does not exist in the resource tree, you can use a set of permissions for the "shared" object. My problem is that it needs to be nested, and I cannot figure out how to do this without multiple inheritance, which Zend_ACL does not support.

An example is this. An online learning site with faculties, courses, and events. Each event relates to a course, and each course is for teachers. I would like to be able to allow each role of the faculty access to all courses (and events by inheritance), but the particular teacher wants their material to be private. Therefore, I force the structure of my resource tree to have a node resource for each teacher and have each course related to this faculty branch from the node faculty instead of branching out from the general node course, which gives each course default permissions, With a new structure, how can I apply your general course permissions? The same goes for events below the courses, if I want each event to be read-only, if the parent course is readable, but I also want to apply the default permission set for each event, how can I arrange the tree so that each event was inherited from its parent and its common node without multiple inheritance?

Any questions or comments or suggestions for another system are welcome.

+4
source share
2 answers

Your multiple inheritance problem is in your head - unless, of course, it can be in several faculties, etc. Create an additional "parent resource" that can change the ACL from the base "course".

You do not want the course to directly inherit the authority of the faculty; you probably want someone to edit courses for this faculty (TA or something else) - but not the faculty itself is right?

faculties, courses and events. each event belongs to the course, and each course to the faculty

Parent -> middleman -> child Courses -> Courses:Faculty2 -> Courses:Faculty2:Course1 Events -> Events:Course1 -> Events:Course1:Event3

etc.

This will give you groups of courses by faculty, but still inherit the default permissions for the course. When you add each resource, just make it the parent for your group resource, and which parents for the shared resource.

If you want all events for a particular course to be hidden, you simply set the permission to Event: Course #

If you want to set permission for all the events of the faculty, you can simply add another intermediary parent over the event: Course1, which also groups events by faculty: Events:Faculty2:Course1:Event3

I found for the permission system 9 times out of 10 you do not need (or want the confusion) multiple inheritance. If your access control is more complex than a simple tree, you should reevaluate your access control.

+2
source

Zend ACL is extremely flexible. Permissions from a child overwrite inherited permissions from parent resources. Even if I don't fully get your example, I think the Zend ACL model supports your design. You can access certain resources for certain roles without any problems.

However, you may also be able to read assertions , which gives you extra freedom.

0
source

Source: https://habr.com/ru/post/1286224/

More articles:


All Articles