Tuesday, December 2, 2008

Re: Getting all the acos a aro can access?

gk wrote:
> Hi there
>
> I'm trying to work out how to get all the access control objects an
> access request object can access - for example all the blog posts a
> user can edit. Can anybody point me in the right direction on how to
> do this? Thanks very much.

If you can't make some assumptions, it's very expensive to do that.
Before commencing you need to understand the basics of mptt, and also
understand that acl is basically a tree<-habtm->tree system. If you
don't meet these 2 requirements - research first, try later ;). The
sql you need to achieve is something like this:

SELECT
theAco.foreign_key
FROM
acos as theAco
INNER JOIN
acos as ruleAco ON (ruleAco.lft <= theAco.lft AND ruleAco.rght >=
theAco.rght)
INNER JOIN
aros_acos ON (aros_acos.aco_id = ruleAco.id)
INNER JOIN
aros as ruleAro ON (aros_acos.aro_id = ruleAro.id)
INNER JOIN
aros as theAro ON (ruleAro.lft <= theAro.lft AND ruleAro.rght >=
theAro.rght)
WHERE
theAro.class = 'User' AND theAro.foreign_key = $userId AND
ruleAco.edit = 1 AND theAco.class = 'Post';

Where:
theAco represents in the above example the aco for *a* blog post
ruleAco represents the aco for a matching rule, which could be the
same as "theAco" or any parent (such as the aco for all posts, or all
objects)
aros_acos is the permission table
ruleAro represents the aro for a matching rule, which could be the
same as "theAro" or any parent (such as the aro for all users)
theAro represents the specific user

As you can see, it's not trivial, and on even a moderate dataset is
likely to really pound your db - to the point of taking it offline.
So if you are using acl inappropriately (e.g. to define "only admin
and owners can edit posts") It would be wise to reconsider your access
control scheme, rather than try to implement the above.

Off the cuff, IMO and hth,

AD
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)