So you you check whether the resource is listed in the ACL, but it's not, because the role the user is assigned does not have access to the resource and in the ACL, resources are white-listed.
So, either you have to have all resources that actually exist and all roles and all access rights (whether white or black) at hand when the plugin or an action method needs to access it, which on one hand can become either a tedious process (adding all resources manually), or less tedious up to elegant through the use of a cached and database driven ACL management, and DirectoryIterator and ReflectionClass instances to scan for modules, controllers and actions, which while thinking of it, is actually quite nice. But still, for the heck of whatever argument may come into place when thinking of optimization, I thought it would make sense to load only the ACL for the current role (as you may have lots of them, and lots of resources) and check whether the resource exists for any other role that might be granted access to that resource via the same means by which the resource was attempted to be accessed (e.g., a resource might exist, but authentication would only be processed when a certain API request is made, but not when a user is surfing your site, so instead of prompting for authentication, you want something different rendered). Does this seem weird? Should one load all resources and roles and access rights?
Best regards,
Andreas
没有评论:
发表评论