I have been futzing around with Cake's Auth/ACL components. I've read the docs and I've done the tutorial, but I am still not satisfied with what I can actually accomplish with it. I've seen a couple of other approaches, but I can't s开发者_StackOverflow社区ay as I really have a straight winner with either. In any tutorial/blog post/doc I read, the use case of "ownership" isn't exactly sufficiently covered.
I was hoping to describe my use case and If there's anyone that can suggest an approach, I am all ears, otherwise I might just have to try to do something myself ;o)
This basically mimics a simple set of Dr's offices.
Starts out easy enough for AROs:
- Group 1: administrators (of course)
- Group 2: caretakers
- Group 3: members
There is a "hasOne" relationship between groups and users (i.e. a user can only belong to one group).
Now we use a tree structured ACO like Aidan Lister considers:
/root
/practice
/practice_profile
/practice_updates
/patients
/entries
/profiles
/other_things
Each caretaker will have access to a practice that includes his patients. This gives the caretaker access to anything that the patient writes. On top of this, the patient will ONLY be able to see/edit/etc... anything that he owns. This wasn't specifically covered in any writing that I have read. I know that with filesystem types of permissions this is commonplace, but I don't even want to go down that road...
With Auth/ACL in Cake's core, it doesn't really get into permissions like this. It seems to say "well, if you're part of group X then you can perform function Y." Therefore, it seems like any user that belongs to the members group would have access to all other members' content and all caretakers would have access to all practices.
Has anyone else come across this sort of use case? Any suggestions for further reading? Any known solutions?
EDIT: So all of the answers were great, so upvotes all around. I highly recommend looking at the post that I didn't find, supplied by bancer as it ended up pointing me to some cool things. Ultimately, though, the answers were buried in the docs, I just didn't quite "get it" the first time around. Also, there was an AHA moment when I read the cakeqs link. So answer goes to Benjamin.
Maybe this will give you some inspiration. It's an extract of the acos table for a CMS I've developed. By using the otherwise apparently unused model column, I get an extra layer of control that lets me set accessibility to pages.
id parent_id model foreign_key alias lft rght
1462 1176 page NULL about-us 285 286 #display page url
1515 1176 page NULL leo-test 291 292 #display page url
1195 1176 NULL NULL ajaxSetStatus 261 262 #function
1194 1176 NULL NULL walkTree 259 260 #function
Then I do something like this in the controller to see if the current user has permission to view the requested page (user defaults to Anonymous if not logged in):
function view($url=null)
{
$nD = $this->NodeDescriptor->findByUrl($url);
if(!$nD) $this->redirect(array('action'=>'error'));
$user = ($this->Auth->user())?$this->Auth->user():'Anonymous';
if(!$this->Acl->check($user,"{$url}"))
$this->redirect($this->referer());
...
I didn't see anybody else link to this other Stack Overflow question about ACL which suggests adding a new entry to the actionMap, "editown".
editown
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论