>
> Hi all,
>
> I'm developing an app that will allow administrative users to control ACL
> from a page within the app. My strategy is to store all info in the DB
> and then build the ACL in the bootstrap (it will be cached after initial
> creation and flushed on modification). I'd like to allow fine grained
> access to modules/controllers/actions and wanted to see if anyone had any
> suggestions or had already created something like this and would be
> willing to share.
>
> Currently, I have set things up roughly like:
>
> table user
> id
> role_id
>
> table role
> id
> name
>
> table right
> id
> module
> controller
> action
>
> table roles_rights
> role_id
> right_id
>
> However, based on the way resources are created (name, privileges), I'm
> thinking that I may have to rethink things. I'm thinking that maybe
> storing the module name is not needed because using the request object I
> can get the module and controller names and set them in the form of
> module-controller. So, if I had a module named Core with a controller
> name Core_IndexController and an action named indexAction, I could just
> store a row in the rights table as (id, 'module-controller', 'action').
> This would work, but I'd love to be able to grant roles access to modules
> in one shot - something along the lines of Resource('module') -
> allow('role', 'module'). It would also be nice to easily allow access to
> controllers in one shot - something along the lines of Resource('module')
> - allow('role', 'module', array('controller')).
>
> Perhaps the best way would be to go with the following schema and simply
> set up the logic of my app to insert all necessary rows into the rights
> table for me (so I could just check one select box in the UI that would
> grant access to all controllers/actions in a module or actions in a
> controller):
>
> table rights
> id
> controller
> action
>
> Any suggestions? I apologize if this post is worded in a confusing
> manner.
>
> Thanks.
>
You are definitely on the right track.
ACLs are just so flexible that it depends on how simple or complex you need
it to be. Either of your solutions would work depending on your
requirements. My suggestion would be to identify your requirements for the
immediate and near future to determine how configurable you need your ACLs
to be, and design/implement towards that. For many projects you just don't
need all of its hierarchy and inheritance of roles.
Here are some ZF resources I used when developing my own ACL/DB solution:
*) Matthew's Bugapp source code:
http://github.com/weierophinney/bugapp/tree/master
*) Jason Eisen's Security Module:
http://oss.jasoneisen.com/2008/10/14/security-module-screencast/
*) DigitalusCMS source code: http://digitaluscms.com/
As an aside, creating your own custom ACL/DB solution is one of the best
ways to really learn the ins and outs of the Zend Framework (in my opinion)
- from the server-side implementation of the authorization and
authentication processes, to the user/role/permissions management
client-side UIs.
--
View this message in context: http://www.nabble.com/Zend_Acl-and-a-database-tp20555831p20568092.html
Sent from the Zend Auth mailing list archive at Nabble.com.
没有评论:
发表评论