Monday, October 4, 2010

Re: ACL and multiple groups

The most maddening thing about ACL is that it is so close yet so far.
If ever there was something you could call half-baked, ACL is it.

What you seek is the kind of thing it should handle easily out of the
box, yet it can't. Cake's ACL feels like it was a brilliant thought
started by someone on the team who never finished it and no one else
wanted to touch it. ACL is so limited in practical real-world
applicability that it's not worth your time to fight with it.

If you want a flat permissions scheme that hardly justifies using a
two tree models and a bridge table, go ahead and use ACL... but it
will be faster to handle it yourself in app_controller.php or
app_model.php and probably perform better than invoking an MPTT
system. And if you want something as robust as you seek, sadly, you
have no choice than to roll your own.

On Oct 4, 1:47 am, Jeremy Burns <jeremybu...@classoutfit.com> wrote:
> I am building a site where a user can be assigned one or more roles
> within an organisation; for example org unit manager, regional
> manager, Head of Function and so on. I want to create a permissions
> model - ideally using ACL (although I've never really 'got' ACL before
> and have never successfully deployed it <embarrassed>) - that mirrors
> this structure.
>
> My constraints are that:
> - each user can be assigned more than one role
> - each role has different rites on objects in the system
> - if a user is in two roles that have different permissions on the
> same object he/she gains the most privileged rites
> - the permissions apply at a row level (e.g. an org unit manager can
> manage his/her org unit, but no others)
>
> I have successfully built this in another system in ASP where I rolled
> my own permissions model that did exactly what I wanted it to do and
> it was easy to administer.
>
> Is this achievable with Cake out of the box, or should I roll my own
> again? If it can be done with Cake's ACL, which is the best guide to
> refer to (not the online book - I know about that)?

Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.

You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)