如何使用 CakePHP 最好地处理这种复杂的 ACL 情况?
我正在制作一个小型应用程序来处理项目相关信息,但我在 ACL 方面遇到了麻烦。遇到以下情况我该如何最好地处理?
我的应用程序有以下表格:
用户:保留用户信息(用户名、通行证、电子邮件、组等)
组:用户所属的组。我有“管理员”、“经理”和“注册”
角色:注册用户的角色。我有“领导”、“成员”和“嘉宾”。
memberships:该表保存用户、角色和项目之间的关系。
项目:保存项目信息
项目:项目有多个信息项目。这张桌子保存着这些物品。
这些表具有以下关系:
用户:hasMany Memberships、belongsTo Groups。
组:有许多用户
角色:有许多成员资格
成员资格:属于用户、项目、角色
项目:有许多成员资格、项目
items:属于项目
基本上,经理(或管理员)可以将角色分配给注册用户。领导者和成员可以属于多个项目。属于特定项目的人员可以编辑该项目的数据及其关联项目。领导者可以从注册用户池中将成员分配到项目。
以下是 CRUD 方面的情况:
管理员:对所有内容(用户、成员资格、项目、项目)进行完整的 CRUD
经理:可以对“已注册”类型的用户进行 CRUD,但不能“经理”或“管理员”。对会员资格、项目和物品进行全面的 CRUD。
注册:可以根据角色做不同的事情:
领导者(角色):可以更新自己的用户信息并读取属于其项目的其他用户数据(信息存储在“成员资格”表)。可以为他们的项目授予 CRUD 会员资格。可以为自己的项目增删改查项目。可以更新自己的项目。
成员(角色):可以更新自己的用户信息并读取属于其项目的其他用户数据。可以为自己的项目增删改查项目。可以阅读自己项目的会员资格。可以更新自己的项目。
来宾(角色):可以更新自己的用户信息。可以阅读项目。
根据上述情况,您认为最好的处理方法是什么?我尝试过使用 ACL,但在途中的某个地方我丢失了它。我尝试使用一些可用的 ACL 插件,但没有成功。最大的挑战是处理管理者和管理员的权限创建。请帮忙!
我还不是一个熟练的蛋糕烘焙师,所以请友善。我们将非常感谢您的建议和推荐。谢谢你!
I'm making a small application to handle project related information and I'm having troubles with ACL. How do I best deal with the following situation?
My app has the following tables:
users: Keeps the users info (username, pass, email, group, etc)
groups: Groups where the users belong to. I have "administrators", "managers" and "registered"
roles: Roles for the registered users. I have "leader", "member" and "guest".
memberships: This table keeps the relationship between users, roles and projects.
projects: Keeps the projects info
items: Projects have several information items. This table keeps these items.
The tables have the following relationships:
users: hasMany Memberships, belongsTo Groups.
groups: hasMany Users
roles: hasMany Memberships
memberships: belongsTo Users, Projects, Roles
projects: hasMany Memberships, Items
items: belongsTo Projects
Basically managers (or administrators) can assign roles to registered users. Leaders and members can belong to several projects. Those belonging to a specific project can edit that project's data and its associated items. Leaders can assign members to a project from the pool of registered users.
Here is the situation in terms of CRUD:
Administrators: Full CRUD on everything (users, memberships, projects, items)
Managers: Can CRUD users of type "registered" but not "managers" or "administrators". Full CRUD on memberships, projects and items.
registered: Can do different things based on their roles:
leaders (role): Can update their own user info and read other user data that belong to their projects (info stored in the "memberships" table). Can CRUD memberships for their projects. Can CRUD items for their own projects. Can update their own projects.
members (role): Can update their own user info and read other user data that belong to their projects. Can CRUD items for their own projects. Can read memberships for their own projects. Can update their own projects.
guests (role): Can update their own user info. Can read projects.
Based on the above situation what do you think will be the best approach to deal with it? I tried with ACL but somewhere on the way I lost it. I tried playing with some of the ACL plugins available with no success. The biggest challenge is to deal with the permission creation by the managers and administrators. Please help!
I'm not yet an adept cake-baker so please be kind. Your suggestions and recommendation will be greatly appreciated. Thank you!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
是的,Cake 的 ACL 可能很困难。我无法为您提供有关如何解决问题的逐步解释,但也许我可以帮助您了解全局。我建议你看看 Cake 的示例 ACL 应用文档 - 也许您只阅读了 关于 AclComponent 的文档?文档的这一部分可能有点令人困惑。
我认为你必须稍微修改你的数据库结构,使其成为“ACL 方式”:
roles表(将parent_id列放在表组)。membership表。 ACL 具有用于此目的的aros_acos表。ARO进行管理。项目和项目的控制器(或这些控制器上的特定操作)是ACO。User、Group、UsersController、GroupsController)“神奇地”负责维护aros表。ACO和acos表并不是那么简单。您必须决定如何管理这些(请参阅此处以及之后的部分)。AppController::beforeFilter方法中,您可以使用 ACL 组件的allow和deny方法来授予或拒绝对当前 Controller/的访问action ($this->name,$this->action)我相信你已经差不多完成了,一旦你习惯了 Cake 的 ACL,它应该不会太复杂。
Yes, Cake's ACL can be difficult. I can't give you a step-by-step explanation on how to solve your problem, but maybe I can help you with the big picture. I suggest you take a look Cake's sample ACL app docs -- maybe you only read the documentation on AclComponent? That part of the docs may be a little confusing.
I think you have to modify your database structure a little, to make it "the ACL way":
rolestable, use nested groups (put aparent_idcolumn on tablegroups).membershiptable. ACL has thearos_acostable for that.AROs. Your Controllers for projects and items (or specific actions on those controllers) are theACOs.User,Group,UsersController,GroupsController) "magically" take care of maintaining thearostable.ACOs and theacostable. You have to decide how to manage those (see here and the section after that).AppController::beforeFiltermethod, you use theallowanddenymethods of the ACL Component to grant or deny access to the current Controller/action ($this->name,$this->action)I believe you are almost there, tt should not be complicated once you get used to Cake's ACLs.