Yes, a scenerio where User HABTM Role you'd have to iterate through all the roles, but this can be cached once the user logs in. Once the user is logged in, they would have a cached list of areas they have access to. I don't see that is too much of a problem.
I think a system can become extremely more flexible by having roles and groups. A question many people always have when reading those ACL tutorials is... "How do I make it so a user only edits his own post"? or "How do I make it so a user only edits certain posts"? This is where groups would come in. The user would belong to a group and whatever rights the group has for an object, then the user has those rights too. By also having roles, it also creates a hierarchy of user access rights. John as a "manager"(role) and member of the group "Yellow Team" has the right to create, edit, delete posts AND moderate comments. Bill as a "contributer" (role) and member of the group "Yellow Team" may only have the right to create, edit, and delete posts. If Bill tries to access /posts/moderate_comments/25/, then he will be denied.. even if he has access to the resource Post.25. On Jun 11, 6:01 am, Michał <[email protected]> wrote: > On 11 Cze, 08:58, CMNAJS <[email protected]> wrote: > > > But Why we need roles and groups both? Isn't either of them is > > enough.. and fulfill the requirement.. > > As We can have users under groups in AROs and assign certain ACOs to a > > group so that the usres of that group have access to those ACOs.. > > IMO there's one problem with both of these approaches. Having a User > HABTM Role would require to iterate through all Roles the user has to > determine if the Role has access. > The User as ARO approach has another problem - you can't have a User > in multiple Groups, thus you can't have a User be 'Post Admin' _and_, > say, 'Comment Admin'. You have to either create a separate group 'Post > and Comment Manager' or assign permissions directly to the user. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
