Hi,
chillu wrote:
> so, restricting user-access on per-item basis would require storing an
> ACO for each user<->item-connection, right?
No. You need an ACO for each item, in order to make sure you can set up
any rules for it. If you have more items with the same permissions, you
can also put them in a group (in CakePHPs ACL-speak you set up a
"parent" for them) to make it easier to assign rules for a lot of
objects.
The same goes with your ARO organisation. If you can put your users
into a few groups (AKA "parents"), you could just set up an ACL rule to
allow e.g. "read" and "update" for this group and all member inherit
these permissions.
Now you have modeled the objects you're dealing with, you still need to
set up the rules. Usually this would be some kind of role-based
authorization scheme you set up once for the app, with settings like
"$my_acl ->allow("userobject or -group", "item or -group", "update").
The benefit of this approach is, that you just need one ACO for each
item and one ARO for each user and still can define as many rules as
you want. You could allow a group of users to access a group of items,
and you can still deny these permissions to single group members (and
the other way round).
Have a look at <http://manual.cakephp.org/chapter/12>, especially
section 3. That describes it with actual CakePHP terminology.
> thats a lot of data/queries... :/
Yes. And it's also something you'll have to take care of, when you
design your controllers. You can set up model associations using
additional database columns (e.g. you can set up a `user_id` for the
ARO table and have a "hasOne ARO" relation in your user model), but you
can't have that the other way round, as the ACL model is some internal
part of CakePHP - maybe you can work around that with the bindModel()
functionality mentioned here <http://rd11.com/posts/view/19>.
Regards,
Dominik.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/cake-php
-~----------~----~----~----~------~----~------~--~---
