访问控制列表
我一直在阅读(基于角色的)访问控制列出了即将进行的项目,但我在弄清楚它如何为我工作时遇到了一些麻烦。
在我见过的示例中,他们总是谈论允许和拒绝访问控制器/模型的特定操作。例如:群组“访客”可以读取帖子,“成员”可以读取和编辑,“管理员”可以创建、读取、更新、删除。
这些事情对我来说似乎有点太全球化了。在我自己的情况(针对此示例进行调整),将会有大量的群组,每个群组只能编辑属于某个类别的帖子(或其他一些标准)。
我认为让它为我工作的唯一方法是为每个类别的帖子创建一个新的 ACO:
posts_cat:1
posts_cat:2
posts_cat:3
然后单独授予每个类别的访问权限(对于需要访问所有内容的管理员来说,这可能是皇家 PITA
) ACL 模式是否涵盖了这样的情况?有更好的方法吗?
我最终将使用 Cake 在 PHP 中实现此功能,因此欢迎使用 PHP 的示例,但不是必需的!
I've been reading up on (Role-Based) Access Control Lists for an upcoming project and am having some troubles figuring out how it will work for me.
In the examples I've seen, they always talk about allowing and denying access to the particular actions of a controller/model. For example: the group "Visitors" can read posts, "Members" can read and edit, and "Admins" have create, read, update, delete.
These things seem to be a bit too global for me. In my own situation (adjusting it for this example), there will be a large number of groups, each of which can only edit posts which belong to a certain category (or some other criteria).
The only way that I can think to make it work for me is to create a new ACO for posts for each category:
posts_cat:1
posts_cat:2
posts_cat:3
And then give access to each of those individually (which could be a royal PITA for administrators who need access to all)
How does the ACL pattern cover situations like this? Are there better methods?
I will eventually be implementing this in PHP, using Cake, so examples using PHP are welcomed, but not required!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
一种选择是这样的规则:
allow('your_role', 'edit_post', 'draft');
允许('your_role','edit_post','category1');
或者您可以构建基于属性的访问控制(可以基于角色)。这允许角色根据属性对对象(广义上的)执行操作。
One option are rules like these:
allow('your_role', 'edit_post', 'draft');
allow('your_role', 'edit_post', 'category1');
Or you could build an attribute based access control (which can be role based). That is allowing roles to do an action on an object (in the wider sense) based on attributes.