Nicolai Scheer wrote:
Hi!
Just started to explore the possibilities of Zend_Acl.
Assume I use the following role structure:
team-north
|
|- team-a
| |- subteam-1a
| |- subteam-2a
| \- subteam-3a
|
|- team-b
| |- subteam-1b
| |- subteam-2b
| \- subteam-3b
and the following ressources:
pages
|- page1
|- page2
\- page3
Each user gets a subteam role to make him member of a team.
Zend_Acl inheritance functionality makes it easy to authorize a whole
team for, say, viewing of page1 by just defining a rule like
allow( team-a, page1, view )
Let's assume there are a few such rules, defining what the whole team
is able to do. Furthermore there are some rules like
allow( subteam-1a, page1, special-privilege )
so that subteams own very specialized rights to do certain things.
My question is: How can I introduce team-leaders?
Those people should aggregate the rights of all team members.
First, such a teamleader is given the role team-a, so that he has all
the rights that are assigned to the whole team. But what about those
fine grained special rights the subteams are given on the lower levels
of the tree? Inheritance goes the other direction, so he is not given
those subteam privileges that way.
Of course I could introduce a new team-leader-role that explicitly
inherits from all subteam roles. Thing is, I do not want to do this
explicitly, I want something like "inverse inheritance" so to speak.
To sum up:
I'd like to put rights on a team, such that all team members own that
right, and I'd like to have team leaders who sum up the rights from
subteams and team members...
Any ideas?
thanks in advance,
Nico
Ni Nico,
There are at least three ways I think you may be able to accomplish this:
1) You already mentioned that you can add the team leader role as
inheriting from the team role, its subteam roles, and possibly the team
member roles (if specific privileges are granted to members). This is a
reasonable way to get what you need with the currently available
Zend_Acl. What would "inverse inheritance" (composition/aggregation?)
look like? Maybe something like the following?
$acl->aggregateRulesByRole('team-a-leader', 'team-a');
The intent of the above is to make the role identified by
'team-a-leader' automatically to have privileges aggregated from
'team-a' and any of its descendant roles (e.g., 'subteam-1a').
Personally, I think this would be a nice simplification to have with
Zend_Acl for such use cases.
2) You can also directly grant the same privileges to the team leader as
are granted to the team and its subteams. This seems like a violation of
DRY, unless you were to, for example, extend Zend_Acl (as with an
implementation of the above) such that it understands the relationships
of team leader roles to their corresponding team and subteam (and
member) roles and automatically grants the appropriate privileges to the
team leader.
3) Your use case may support the ability to grant team leaders all
privileges on certain resources:
allow('team-a-leader', 'page1');
This could result, however, in 'team-a-leader' having more privileges on
'page1' than it should have, depending on other aspects of your application.
There may likely be other ways to do this, too; maybe our esteemed
community has more ideas?
Best regards,
Darby
