Tuesday, September 28, 2010

can a group act as both an ARO and an ACO?

I apologize for asking this before trying. I haven't yet had time to
get to this and I'm curious if there's a quick answer that will save
me some time. Otherwise, I will test it out and report back later.

Question:

A user belongs to one or more departments.
Projects belong to a department.

Any user that belongs to department A should be able to access any
projects that belong to department A. Conversely, the user should not
be allowed to access any projects that belong to a department the user
is not also a part of. I wanted to see if I could define the behavior
for department to act as both an ACO and an ARO so that it updates the
ACOs and AROs automatically whenever a department is created or
updated.

***

Bonus points:

My ACL is actually more complicated than that. The user belongs to a
user group as well as a department. The group defines what CRUD
actions the user can do in absolute terms. For example, admins are
allowed to create and edit company records, but users can only view
them. What makes it more complicated is that AMONG those absolute
permissions, which specific records you are allowed to edit or view
are filtered by the department criteria above.

So the user belongs to one or more departments, and the user belongs
to a single group. Access is dependent on both department AND group.
That means in the ARO table, I would see the same user appear under
two different branches (one branch is for all departments, and the
other is for all groups). The trouble is that I predict this means ACL
will see the user in either one OR the other and give much higher
permission than desired. In short, I'm hoping for an AND link but
expecting it will only do OR.

****

Super bonus points:

My ACL is currently keyed off of just group. I see that ACL queries
easily outweigh all other queries in terms of time eaten up. I'm
wondering if, even were I to succeed in making my complex ACL tree
above work correctly, would the performance hit make it infeasible?
Should I just hardcode some things instead?

Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.

You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)