ACLs and multiple access levels

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

ACLs and multiple access levels

Synchro-2

I'm just getting to grips with Cake, and I have a basic problem with
ACLs. I'm dealing with authentication using my own User model and
controller, and that's fine. Now the problem is that a user can access
multiple accounts, and can have different permissions in each (they
might be an admin in one, a user in another). As far as I can see,
there's no way to model that with Cake's ACLs. I've found some other
posts that ask much the same question, but I've not found a definitive
answer. I guess I could make each account an ACO, but then I'd be stuck
as I would not be able to distinguish admin from regular user accounts,
because each ARO can only have one parent.

Before looking at the ACLs, I had started making my own access
mechanism using a group mechanism that allowed multiple group
membership (like UNIX perms), but that suffers from other limitations.
Is there a mechanism that combines both?

Another smaller problem - When I start adding AROs, I need to have some
basic preset ACOs to assign them to - how would I go about
bootstrapping these into a fresh setup?


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake PHP" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/cake-php
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: ACLs and multiple access levels

Synchro-2

I think I've got a solution for this: Users are not AROs. I've
introduced an intermediate class called an accountuser that represents
a particular user's existence within a given account, and that seems a
good candidate for an ARO, as they can different have access to
different ACOs in different accounts, while sharing authentication data
across all of them.

Potentially, some specific users could still be AROs, such as
superusers that have access to everything in all accounts.

Does this sound like a good idea?


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups "Cake PHP" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---