We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

Using ACL to restrict access to specific models records

I can't seem to get my head around this so let me explain the problem:

I have model named Project, multiple user Roles ex:

  • Administrators
  • Moderators
  • Users
  • Client A
  • Client B
  • Client C
  • Guest

And a few projects

  • (id: 1) Private project A - Only for Moderators and up
  • (id: 2) Private project B - Only for Moderators and up
  • (id: 3) Project X - For Client A and moderators and up
  • (id: 4) Project Y - For Client B and moderators and up
  • (id: 5) Project Z - For Client B, Client C and moderators and up

Now is there a way to use Phalcon ACL to handle this? Or do I need to write my own ACL implementation?

Basically I need to restrict access to specific entities in database, users in Client B obviously won't be able to see other projects as well.

Sure probably you need to usea a ACL Mysql or Redis adapters and for example if you need restrict an user to some values you have to use ACL function based access

Good luck

Ah well I should have said it but I have my own implementation of MySQL adapter derived from incubator but done purely on models: https://hastebin.com/avufogiqon.xml And inheritance is done on a flat level but that doesn't matter.

Basically usage of the function based access is not possible in MySQL so I need another way.

I was thinking of making another layer, database like this:

+------------------------------+-----------+----------------+--------+
|          Model Name          | Entity ID |      Role      | Access |
+------------------------------+-----------+----------------+--------+
| SomeNamespace/Models/Project | 2         | Moderators     |      1 |
| SomeNamespace/Models/Project | *         | Users          |      0 |
| SomeNamespace/Models/Project | *         | Administrators |      1 |
+------------------------------+-----------+----------------+--------+

But it becomes a problem, how to join such table? For example I would like to restrict project listing. I could simply jon permissions table.

I don't think I can use built in system for that. Probably need to extend it.