Some thoughts:
It looks like the "Container type" and "Container id" are a way to
restrict access to some sub level of content, but what if someone
wants to restrict access to some arbitrary set of content that is X
levels deep?
An alternative approach might allow users to define their own security
"roles", where a role protects some set of functionality, either
arbitrary page resources or actual URLs. Protecting URLs can be
enforced by the plugin. Protecting resources is something that
requires some user code, in this case, resources can be as fine or
course grained as the user wants. I have no idea if sfGuard already
allows something like this... I couldn't tell from it's README, so let
me give an example of what I mean.
Example Table:
Resource Roles
--------------------------------------------------------
/news/ ViewNews
/admin/NewsManager ManageNews,Administrator
/admin/NewsManager/add AddNews,Administrator
NewsAdd AddNews,Administrator
In this case, a user would only be able to navigate to /news/ if they
have th ViewNews role, or th /admin/NewsManager if they have the
ManageNews or Administrator roles. Protecting arbitrary resources can
be done in an action/component/template. Example:
newsManagerTemplate.php:
<?php if (user->isAuthorized('/admin/NewsManager/add')): ?>
<a href="/admin/NewsManager/add">Add News</a>
<?php endif; ?>
same as:
<?php if (user->isAuthorized('NewsAdd')): ?>
<a href="/admin/NewsManager/add">Add News</a>
<?php endif; ?>
same as:
<?php if (user->hasRole('AddNews,Administrator')): ?>
<a href="/admin/NewsManager/add">Add News</a>
<?php endif; ?>
On Aug 19, 4:30 am, Nicolas CHARLOT <[EMAIL PROTECTED]> wrote:
> Hi all,
>
> Since we often need to manage credentials at a resource level, we're
> actually studying about a new security plugin: isicsACLPlugin.
>
> With sfGuardPlugin, it's easy to manage permissions for a collection
> of resources. But what about restricting access to a sub-collection of
> resources or even to a particular one ? For instance, if you want to
> restrict the view to all the news, a credential news_view is well
> enough. But if you want to restrict the same operation to the news of
> category 2 or directly to the news 53 ? That's the main purpose of
> isicsACLPlugin.
>
> Another goal is to add a new customization level for end-users. With
> Symfony basic security system, it's the developer that tells if an
> action is secured or not (security.yml config file).
> With isicsACLPlugin, the end-user will be able to define directly if
> an operation on resource is:
> - public
> - restricted to any authenticated user
> - or fine-grained secured
>
> isicsACLplugin is an open source project (LGPL). We hope it will
> become a community project and that many apps will use it.
>
> We've starded to write the specifications here
> :http://code.google.com/p/isicsaclplugin/wiki/specsEn
> .
> If U're interested in contribute or just give your opinion, the door
> is open!
>
> Thanks.
> --
> Nicolas CHARLOThttp://www.isics.fr
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"symfony users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
-~----------~----~----~----~------~----~------~--~---
