Cake 的 ACL 组件和“所有权”概念

发布于 2024-09-13 07:21:41 字数 1618 浏览 5 评论 0原文

我一直在研究 Cake 的 Auth/ACL 组件。我已经阅读了文档并完成了教程，但我仍然对我可以用它实际完成的事情不满意。我见过几个其他方法，但我不能说，因为我确实有一个直接的赢家。在我读过的任何教程/博客文章/文档中，“所有权”的用例都没有得到充分的涵盖。

我希望描述我的用例，如果有人可以建议一种方法，我会洗耳恭听，否则我可能只能尝试自己做一些事情；o)

这基本上模仿了一套简单的博士办公室。

对于 ARO 来说开始很简单：

第 1 组：管理员（当然）
第 2 组：管理员
第 3 组：成员

组和用户之间存在“hasOne”关系（即，一个用户只能属于一个用户）团体）。

现在我们使用树形结构的 ACO，例如艾丹·利斯特 (Aidan Lister) 认为：

/root
    /practice
        /practice_profile
        /practice_updates
        /patients
            /entries
            /profiles
            /other_things

每个护理人员都可以参与包括其患者在内的实践。这使得看护者可以访问患者写的任何内容。最重要的是，患者将只能能够看到/编辑/等等......他拥有的任何东西。我读过的任何文章中都没有具体涉及这一点。我知道对于文件系统类型的权限来说，这是很常见的，但我什至不想走这条路......

使用 Cake 核心中的 Auth/ACL，它并没有真正进入这样的权限。它似乎在说“好吧，如果你是 X 组的一部分，那么你就可以执行 Y 功能。”因此，似乎属于 members 组的任何用户都可以访问所有其他成员的内容，并且所有 caretaker 都可以访问所有实践。

还有其他人遇到过这种用例吗？有进一步阅读的建议吗？有已知的解决方案吗？

编辑：所以所有的答案都很棒，所以大家都赞成。我强烈建议您查看由 bancer 提供的我没有找到的帖子，因为它最终向我指出了一些很酷的东西。但最终，答案都隐藏在文档中，我只是第一次没有完全“明白”。另外，当我阅读 cakeqs 链接时，有一个 AHA 时刻。所以答案交给本杰明。

原文

I have been futzing around with Cake's Auth/ACL components. I've read the docs and I've done the tutorial, but I am still not satisfied with what I can actually accomplish with it. I've seen a couple of other approaches, but I can't say as I really have a straight winner with either. In any tutorial/blog post/doc I read, the use case of "ownership" isn't exactly sufficiently covered.

I was hoping to describe my use case and If there's anyone that can suggest an approach, I am all ears, otherwise I might just have to try to do something myself ;o)

This basically mimics a simple set of Dr's offices.

Starts out easy enough for AROs:

Group 1: administrators (of course)
Group 2: caretakers
Group 3: members

There is a "hasOne" relationship between groups and users (i.e. a user can only belong to one group).

Now we use a tree structured ACO like Aidan Lister considers:

/root
    /practice
        /practice_profile
        /practice_updates
        /patients
            /entries
            /profiles
            /other_things

Each caretaker will have access to a practice that includes his patients. This gives the caretaker access to anything that the patient writes. On top of this, the patient will ONLY be able to see/edit/etc... anything that he owns. This wasn't specifically covered in any writing that I have read. I know that with filesystem types of permissions this is commonplace, but I don't even want to go down that road...

With Auth/ACL in Cake's core, it doesn't really get into permissions like this. It seems to say "well, if you're part of group X then you can perform function Y." Therefore, it seems like any user that belongs to the members group would have access to all other members' content and all caretakers would have access to all practices.

Has anyone else come across this sort of use case? Any suggestions for further reading? Any known solutions?

EDIT: So all of the answers were great, so upvotes all around. I highly recommend looking at the post that I didn't find, supplied by bancer as it ended up pointing me to some cool things. Ultimately, though, the answers were buried in the docs, I just didn't quite "get it" the first time around. Also, there was an AHA moment when I read the cakeqs link. So answer goes to Benjamin.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

追风人 2024-09-20 07:21:41

也许这会给你一些启发。这是我开发的 CMS 的 acos 表的摘录。通过使用其他明显未使用的 model 列，我获得了额外的控制层，可以让我设置页面的可访问性。

 id    parent_id  model  foreign_key  alias          lft  rght
 1462  1176       page   NULL         about-us       285  286 #display page url
 1515  1176       page   NULL         leo-test       291  292 #display page url
 1195  1176       NULL   NULL         ajaxSetStatus  261  262 #function
 1194  1176       NULL   NULL         walkTree       259  260 #function

然后我在控制器中执行类似的操作，以查看当前用户是否有权查看请求的页面（如果未登录，用户默认为匿名）：

function view($url=null)
{
    $nD = $this->NodeDescriptor->findByUrl($url);
    if(!$nD) $this->redirect(array('action'=>'error'));
    $user = ($this->Auth->user())?$this->Auth->user():'Anonymous';
    if(!$this->Acl->check($user,"{$url}"))
        $this->redirect($this->referer());
 ...

Maybe this will give you some inspiration. It's an extract of the acos table for a CMS I've developed. By using the otherwise apparently unused model column, I get an extra layer of control that lets me set accessibility to pages.

 id    parent_id  model  foreign_key  alias          lft  rght
 1462  1176       page   NULL         about-us       285  286 #display page url
 1515  1176       page   NULL         leo-test       291  292 #display page url
 1195  1176       NULL   NULL         ajaxSetStatus  261  262 #function
 1194  1176       NULL   NULL         walkTree       259  260 #function

Then I do something like this in the controller to see if the current user has permission to view the requested page (user defaults to Anonymous if not logged in):

function view($url=null)
{
    $nD = $this->NodeDescriptor->findByUrl($url);
    if(!$nD) $this->redirect(array('action'=>'error'));
    $user = ($this->Auth->user())?$this->Auth->user():'Anonymous';
    if(!$this->Acl->check($user,"{$url}"))
        $this->redirect($this->referer());
 ...

回复收藏 0 原文