For a while now, I've been working on a project which, when it comes to the ACL part, have really been causing me some headache.
The application is modular and is meant to be easily extensible and the ACL is supposed to be highly customizable. The varies modules varies a lot which means that implementing some static roles in my ACL such as the generic: guest, user, moderator, admin etc. I don't want to bore you with to many details about the system, but the way that I've ended up structuring it, is that each module implements their own resources and permissions into the ACL which is stored in the database. Each module has a manifest file containing these information which will be loaded into the database when registering the module with the application.
>From there on, it's up to an administrative user to define the roles for this module and their permission on given resources.
So the scheme looks somewhat like this: A module implements an array of resources which implements a number of unique permissions. Then a number of roles are registered to the module which are granted some or all of the permissions to the modules' resources. Each user in the system can then be associated with a number of these groups in order to inherit the permissions assigned to that role.
The way I check the ACL is very much inspired by the articles which Matthew wrote up a while ago (http://weierophinney.net/matthew/archives/201-Applying-ACLs-to-Models.html).
My problem arises when I'm thinking about the ACL layout for a larger module which is going to be developed keeping track of customers, contracts, timesheets etc.
Say we have a concept of a "normal user" which have read access to all 3 of the resources mentioned above. We then have a "customer manager" role which have full access to the customer resource and another role "contract manager" which have full access to the contract resource. Ok, so the way that "roles" work in the system is to encapsulate permission to resources for a specific module. The thought was then, that each user can have numerous roles. Say we have a user who is to have the "customer manager" role along with the "contract manager" role thus having full permission to both of the resources. I've been googling around and hanging out on IRC regarding the question of a user having multiple roles but I haven't found a solution.
Therefore, I'm putting my trust into you guys for some good advice - regarding the multiple role issue but also regarding my setup in general.
Any feedback is much appreciated.
Kind regards
Christian Rasmussen
没有评论:
发表评论