All geek questions in one place

What should be the resources in the ACL? Object models or object instances?

Please help me implement access control lists for my PHP web application. I use Zend_ACL specifically.

I want fine-grained, widely used control over which specific object (whether a user or a group) has access to which resource. I would like to be able to provide access to a specific instance of a resource, as well as to all resources of this type. For instance:

  • User # 1 has the right to edit all posts
  • User No. 2 is a guest editor and has the right to edit after message No. 5
  • Group No. 1 (guest) has read rights in all
  • Users belong to a user group that inherits from the guest.

My question is this: Do ACLs have reference resource types or specific instances? Should I grant users basic, resource-specific privileges using ACLs, for example:

  • provide edit to user # 1 in the message
  • provide user # 2 with nothing more than inheritance
  • group of grants No. 1 is read in all resources
  • implement an exception table to track grants and denys on specific resources.

Or do I need to create resources for all separate instances of my different types of resources and move on to providing fury to allow all users to read all resources? Seems pretty rude.

My current solution is this: using resource inheritance, create the parent of the most resource without a type, a child of this root for each type, and then a child of each type for each instance. This allows me to provide one specific type and refuse multiple copies or refuse a certain type, but provide on one copy (for example, for user number 2 above). This combines my permission system perfectly, but my needs are more complex. Soon, resource types will be nested. Therefore, I will be different modules that can be parents or children. Example: a photo gallery module on a site, an ad module with another more exclusive gallery below it. I am not quite sure what to do to solve this problem. Anyway, I would like to be able to provide in all galleries, or just one, or just a few photos below. Keep in mind that Zend_ACL does not support multiple resource inheritance.

What is the best way to implement this? Is it all with ACLs or with some logic built into each module?

0
source share
2 answers

I just answered SO995925: How should I structure my resource tree in an ACL? , and the advice that I have for you is the same.

All this in your head - "Ad Galleries" - is a children's resource "Photo Galleries". Parents of Generic Gallery No. 1 in the "Photo Gallery", and parents of the "Announcement Gallery" in the "Gallery of Announcements". You can always add another step of the parent resource to your chain if you need to split the tree again.

Still a simple tree inheritance chain.

+1
source

Your solution plan is the way most systems work, I thought. The Windows file system does just that. The very first ACL I have ever used in DCE worked just like that.

Inheritance is what you need to find out. Do you inherit dynamically or at the time the resource is created?

0
source

Source: https://habr.com/ru/post/1286226/

More articles:


All Articles