tags:

views:

144

answers:

1
+1  Q: 

CakePHP w/ ACL: Best practice for many groups is routing?

I'm working on an app that will have 6 ARO groups in order to cover the required permissions spectrum. It is really best practice to have *_add, *_edit, *_index, *_view, etc. methods for each? That seems like a bit of code overload and maintenance headache. The "cheapest" way I can imagine to handle it with routing is something like:

// core: edit
function _edit($id = null)
{
  // do stuff
}

function admin_edit($id = null)
{
  $this->_edit($id);
}

function manager_edit($id = null)
{
  $this->_edit($id);
}

function clerk_edit($id = null)
{
  $this->_edit($id);
}

/* ...and on and on... */

And toss in restrictions where necessary for, say, a group being allowed to only edit user's own items, or something similar.

Is there another recommended technique or is this really the best practice?

A: 

Presumably you want to offer different functionality for each group?

If that's not the case, there is no need for different CRUD methods for each group.

If, on the other hand, it is the case, look into switch statements within the CRUD methods to sort out who has what capability.

There is no need to have a method for each group.

Leo  2010-06-22 08:06:24
Not necessarily different functionality aside from "own" access. Consider this contrived example privilege structure where the privileges stack: clients: index own, view own, edit own clerks: index all, add managers: view all, edit all admins: full accessI should have provided something like that in the original post for clarification.
tomws  2010-06-22 14:22:09
Crap... just noticed that didn't format as expected. Trying again. Clients: index own, view own, edit own. Clerks: index all, add. Managers: view all, edit all. Admins: full access.
tomws  2010-06-22 15:19:48
I get the idea [I don't think you can format comments]. I would do (and have done) it the way I suggest. Use ACL to filter method access, then further fine tune the access within that method feeding into a conditional - either switch or if depending on your preference.
Leo  2010-06-22 15:37:02

related questions

POSIX ACLs and the 'sticky' bit applied to a directory
Using Python set type to implement ACL
How can my C# app test whether the user has "Read" access to a network share?
remove an ACL entry for just ONE user in MacOS? oddly difficult
In linux, is there a way to set a default permission for newly created files and directories under a directory?
Changing Parent for a Resource - Zend ACL - 1.7.3
How should I be implementing my ACL in a web application?
Help with Zend ACL
File Vs Database
Why can I not set this ACL rule in C#?
ACL for a network device
User authentication
Recommend a PHP ACL class?
Authentication for a browser-based application dependent on the client machine
Rails User Access Plugins
What technology to get NTFS access rights in C ?
Why is SetNamedSecurityInfoW leaving out ACEs?
Does it make sense to set up a trusted relationship between Active Directory instances at partner companies?
Copying file security permisions
File security attributes getting screwed up on file copy
SNMP SET with ACL and Set Community Name
What's the best way to implement ACLs to a Rails application?
Where to Store writable data to be shared by all users in a vista installer ?
CakePHP ACL Database Setup: ARO / ACO structure?
Access Control Lists & Access Control Objects, good tutorial?