I honestly don't know why I didn't think of that. I guess I was too focused on the concrete roles which existed in the database.
>From what I understand from your reply you create a "virtual role" when creating the ACL for a given user. This virtual role then inherits from all the roles which the user is registered too thus effectively ending up with a user with multiple roles. Thank you a lot for your feedback. Your input was just what I needed to get some progress.
--
Best Regards
Christian Rasmussen
________________________________________
Fra: Sergii Syrota [serg.syrota@gmail.com]
Sendt: 6. februar 2010 17:44
Til: Christian Aarø Rasmussen
Cc: fw-auth@lists.zend.com
Emne: Re: [fw-auth] ACL and multiple roles
Not sure if the approach we took in our implementation is the right one... But it worked for us =)
Zend ACL allows you to create a role that inherits from multiple other roles. So we use that feature to create "Current User" role (on the init stage of the ACL) that inherits all roles that user has, according to active directory group membership. Then user is assigned that one role, and gains access to all resources allowed in parent roles.
Hope that helps...
--
Best Regards,
Sergey Syrota
On Wed, Feb 3, 2010 at 5:20 PM, Christian Aarø Rasmussen <Christian.Rasmussen@capana.com<mailto:Christian.Rasmussen@capana.com>> wrote:
Hi fellow ZF'ers,
For a while now, I've been working on a project which, when it comes to the ACL part, have really been causing me some headache.
The application is modular and is meant to be easily extensible and the ACL is supposed to be highly customizable. The varies modules varies a lot which means that implementing some static roles in my ACL such as the generic: guest, user, moderator, admin etc. I don't want to bore you with to many details about the system, but the way that I've ended up structuring it, is that each module implements their own resources and permissions into the ACL which is stored in the database. Each module has a manifest file containing these information which will be loaded into the database when registering the module with the application.
>From there on, it's up to an administrative user to define the roles for this module and their permission on given resources.
So the scheme looks somewhat like this: A module implements an array of resources which implements a number of unique permissions. Then a number of roles are registered to the module which are granted some or all of the permissions to the modules' resources. Each user in the system can then be associated with a number of these groups in order to inherit the permissions assigned to that role.
The way I check the ACL is very much inspired by the articles which Matthew wrote up a while ago (http://weierophinney.net/matthew/archives/201-Applying-ACLs-to-Models.html).
My problem arises when I'm thinking about the ACL layout for a larger module which is going to be developed keeping track of customers, contracts, timesheets etc.
Say we have a concept of a "normal user" which have read access to all 3 of the resources mentioned above. We then have a "customer manager" role which have full access to the customer resource and another role "contract manager" which have full access to the contract resource. Ok, so the way that "roles" work in the system is to encapsulate permission to resources for a specific module. The thought was then, that each user can have numerous roles. Say we have a user who is to have the "customer manager" role along with the "contract manager" role thus having full permission to both of the resources. I've been googling around and hanging out on IRC regarding the question of a user having multiple roles but I haven't found a solution.
Therefore, I'm putting my trust into you guys for some good advice - regarding the multiple role issue but also regarding my setup in general.
Any feedback is much appreciated.
Kind regards
Christian Rasmussen
没有评论:
发表评论