Yep you got the scenario right.
Thanks for insight. I will dig a bit further though cause all acls are
controlled by admins and with two settings needed for single field it
might come too much to think of :)
I think I will be able to utilize internal _getRuleType() to figure out
if explicite allow is present at all or not so ultimately I can work
with single condition.
Thanks again.
Colin Guthrie wrote:
> Julian Davchev wrote:
>> Well, I have fields to show/hide on different conditions for example.
>> Consider show/hide person salary.
>> If user has entered secret password (this would be the assert) he will
>> be allowed to see someone's salary else just a link will be presented to
>> enter secret password. But on other hand if there is not even allow for
>> this salaray to see I wouldn't even display link to enter secret
>> pass...it will all be just hidden. Hope it makes more sense now.
>>
>> I like abstraction too.....just kinda not sure what best approach in my
>> case is.
>
> Ahh right I think I understand your use case now.
>
> THere are really three states here.
>
> 1. Not allowed ever.
> 2. Allowed in principle but not authenticated to that level.
> 3. Allowed in principle and authenticated.
>
> Is that a fair statement?
>
> If so I would just split this into two sets of permissions one with an
> assert and one without.
>
> The first would indicate if the user is ever allowed or not (basically
> in the first group above or not in that group).
>
> The second controls the actual viewing of the sensitive info (with the
> assert).
>
> So I would do something like:
>
> if ($acl->isAllowed('CanViewSalaries'))
> {
> if ($acl->isAllowed('ViewSalary'))
> {
> // Display it.
> }
> else
> {
> // Display auth for the ViewSalary assert().
> }
> }
>
>
> Dunno if that would work for you or not but I hope it helps.
>
> Col
>
