Granting Roles accesses to specific resource IDs?

Question

Granting Roles accesses to specific resource IDs?

Steven Aug '17

Created Aug '17	Last Reply Aug '17	Replies 2	Views 400	Votes 0

Steven 5.7k

Aug '17

My application has the following definitions:

Users (Roles)
Accounts/Items (Resources)
Full/List/View/Update/Delete (Accesses)
Account IDs (Resource IDs - each account has a unique ID...)

Issue:

Acls seem to only take into account Roles, Resources, Accesses. What about accesses on specific Resources designated by a resource_id?
The entire Acl is in the database using the incubator's Acl Database Adapter, not in memory.

Objective:

To allow/deny each user the ability to perform "access" on a specific "resource" identified by "resource_id"

Example: We have 10 accounts. Account ids 1 - 10.

User1 has full access to Accounts 1 - 5
User2 has full access to Accounts 6 - 9
User3 has full access to Accounts 10
User3 can also List/View Accounts 2, 5, 9.

// Doesn't take into account the account_id!!

if(!$this->isAllowed('User1', 'Account', 'View')) {

... Denied! ...

return false;

}

... approved ...

Possible solution:

I've been toying with the idea of extending the Acl Database Adapter by adding a "resource_id" column to the access_list and updating the code to check that as an additional parameter.

What are your thoughts?

Emilio Degiovanni · Answer 1 · 2017-08-19T15:28:29-07:00

Hi @Steven you must implement an annonimous function to validate that check the docs

// Set access level for role into resources with custom function when you pass the resource id
$acl->allow(
    'User',
    'Account',
    'view',
    function ($id) {
        return $id >= 1 && $id <= 5; //1 and 5 probably get from db
    }
);

//then when you validate
$acl->isAllowed(
    'User',
    'Account',
    'View',
    [
        'id' => 4, //nice 
    ]
);

Good luck

Wojciech Ślawski · Answer 2 · 2017-08-28T07:41:17-07:00

Well the problem is that he uses Database adapter, not sure if this will work, most certainly not. This code from above is for Memory adapter, you can check it code in repository and make similar thing for Database, but im not really sure how it should actually work, just database adapter doesn't fit for this requirment really.

Steven · Answer 3 · 2017-09-11T11:51:18-07:00

I ended up customizing the database adapter from the incubator to fit my needs.

I just added a resource_id to the access_list table and updated the code to match accordingly. Works like a charm :)