I got a hint on IRC channel yesterday to check Sample CMS (
http://groups.google.com/group/agavi-users/browse_thread/thread/8262f274e4dda261/ccea4e9c3d4b74e7#ccea4e9c3d4b74e7
) and I also read read very nice topic that touchs my problem (
http://groups.google.com/group/agavi-users/browse_thread/thread/18d590fabc9c3dac
).
I don't like the way how its done in CMS because its not universal - not
at all. Basicly that approach uses model in User class so it has to be
rewritten every time for other apps that uses different models :/
But I've got an idea - why not parametrize getting credentials for
action? e.g.
class Photos_UpdateAction extends PhotoSystemBaseAction
{
public function getCredentials()
{
// photos.update OR photos.update.id
return array('photos.update', 'photos.update.[id]');
}
}
where 'id' could be... hmm, by default taken from requestHolder but for
example it could be configurable as well (maybe it is not necessary)?
Of course there should be AgaviAction::setCredentails() method added for
keeping security as much unobstrusive for action execution.
I think it is nice idea.
Cheers, Alan
> Hi Guys
> I like RBAC implementation of Agavi, but I'm still confused how to add
> credential for some resource to a specified user?
> For example I've got 'Messages' module with all CRUD capabilities.
> It is easy to allow ordinary user to read messages and create them
> - with restriction to deleteting and editing (only moderators and
> administators can do that).
> What then if I want to be more precise, and want to allow user to
> update only his/her own messages?
> Where to put logic of that? It seems that it is not built-in in any way.
> AgaviAction::getCredentials() does not feet-in... or maybe? I remember
> that in sample application in rbac_definitions.xml there is
> definition like:
>
> <role name="photographer">
> <permissions>
> <permission>photos.edit-own</permission>
> <!-- etc. -->
> </permissions>
> </role>
>
> But its not implemented.
>
> I already asked the main question - where to put logic of that? In
> action, filter? Hmmm?
>
> Cheers, Alan
>
> P.S. Thanks in advance for any response
_______________________________________________
users mailing list
[email protected]
http://lists.agavi.org/mailman/listinfo/users
