Although using only roles will keep your table smaller, I disagree
with James about 'far less queries being run' though since the
structure of Aro trees only requires 1 query whether based on a user
or role. The benefit of performance would come from smaller index
sizes. But regardless, if you want to avoid adding users to the Aro
table, create a structure like;
Entire Site
|- Org 1
| |-Org 1 Admin
| |-Org 1 User
|- Org 2
| |-Org 2 Admin
| |-Org 2 User
L Guests
Then you can link each user to a role, in a separate table (Roles).
Or if you already have a habtm relationship for Users <->
Organizations you can simply add an additional role_id column.
id user_id org_id role_id
So yes, your are understanding correctly.
On Mar 24, 1:02 pm, mguthrie <mitchguth...@gmail.com> wrote:
> So if I understand you correctly:
>
> 1.) Create roles that are global across the system
> 2.) Assign those roles to the ARO table
> 3.) Then in my own separate tables store group information per
> organization that assigns users to those roles.
>
> Am I understanding this correctly? If so that makes for a very
> efficient solution.
>
> On Mar 24, 7:53 am, James K <james.m.k...@gmail.com> wrote:
>
> > Unless you need the ability to have fine grained, unique permissions
> > on a per-user basis, then I would avoid entering your users into the
> > ARO table (like most ACL tutorials suggest). Instead add your roles to
> > the ARO table. Then in your system logic, you can pull the user's role
> > in a particular organization, then check against the ACL tables for
> > that role to find out what that user should be able to do in that
> > context.
>
> > This leaves your ACL tables MUCH lighter, far less queries need to be
> > run against them as well.
>
> > - James
>
> > On Mar 23, 8:13 pm, mguthrie <mitchguth...@gmail.com> wrote:
>
> > > I'm looking into CakePHP for developing an application that appears to
> > > have some unique requirements. I'll try to break it down as simply as
> > > I can:
>
> > > 1.) Users register with the site
> > > 2.) A user can belong to one or more organizations (by invite only).
> > > These organizations keep data specific to their organization that
> > > isn't shared or publicly available to the rest of the organizations.
> > > Think of a CRM where each user can belong to one or more organizations
> > > that each manage their own customers in the same system.
> > > 3.) A user needs to have different rights depending on the
> > > organization. In one organization a user may be an administrator and
> > > can do all things but in another they may only be able to view a
> > > certain area belonging to that organization.
>
> > > Everything in the application is going to center around a user's
> > > current organizational id. So in the backend there will be a lot of
> > > filtering by organization ID.
>
> > > Can the CakePHP ACL give me that kind of flexibility? Can a user have
> > > different rights to the same database tables depending on which
> > > organization they are currently working as?
>
> > > This may be confusing so if anyone needs me to clarify please let me
> > > know.
>
> > > Thanks.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
No comments:
Post a Comment