How would I use ACL to lock users out of, say, certain forum categories but not others?

Question

How would I use ACL to lock users out of, say, certain forum categories but not others?

prodigga Aug '14

Created Aug '14	Last Reply Aug '14	Replies 3	Views 969	Votes 2

prodigga 2.6k

Aug '14

So I looked into the ACL stuff a little. I was trying to figure out the 'phalcon' way of doing things here. Acl seems to restrict access to certain 'types' of things, not 'instances' of those things. IE, you can define the permission for accessing the "forum categories" controller (mysite.com/categories), but I can't seem to figure out how I would restrict users to certain categories only (ie, guests can access mysite.com/categories/cars, but not mysite.com/categories/SecretAdminPosts).

How would I best go about this?

2

Phalcon
98.9k

Accepted
answer

Aug '14

You might want to use the database ACL or mongo ACL which could be more suitable for big access control lists:

RompePC · Answer 1 · 2014-08-24T09:40:31-07:00

You could do two types of areas (add both to the ACL): one of them for users with a determined role, and the other for the rest. Something like:

$publicArea = array(
    "categories" => array("cars")
);
$privateArea = array(
    "categories" => array("SecretAdminPosts")
);

foreach ($publicArea as $controller => $actions) {
    $acl->addResource(new Resource($controller), $actions);
}

foreach ($privateArea as $controller => $actions) {
    $acl->addResource(new Resource($controller), $actions);
}

foreach ($publicArea as $controller => $actions) {
    $acl->allow('user', $controller, $actions);
    $acl->allow('admin', $controller, $actions);
}

foreach ($privateArea as $controller => $actions) {
    $acl->allow('admin', $controller, $actions);
}

More info in https://docs.phalcon.io/en/latest/reference/tutorial-invo.html#providing-an-acl-list

prodigga · Answer 2 · 2014-08-24T15:08:35-07:00

Yes thats fine and works well for those 2 categories, but on many web software (forums, etc) the user/admin can create their own categories. I can't 'hard code' the permissions.

Think, for example, secret facebook groups. If you are granted to a facebook group you can view and post posts in the group. There can be lots of these groups. The only thing I can think of us creating an ACL user group ('user','admin','etc') for every single user created page by fetching every single group from the database, adding users to the correct group and then executing the rest of my PHP. Imagine if I had 100's of groups. This would not work very well because I'd have to 'construct' this 'dynamic' ACL list every time.

RompePC · Answer 3 · 2014-08-24T15:19:46-07:00

Mmmm... maybe using an INI configuration file? You will load all controllers/actions/roles from there. The INI will be dynamically refreshed when some new "facebook group" would be created.

prodigga · Answer 4 · 2014-08-24T17:55:41-07:00

That could be one giant INI file if the website was popular. Wouldn't it be getting loaded each time someone loads a page? Or does Phalcon load it into 'memory', because C magic ? Imagine loading an INI with thousands of lines in it, every time someone requests a page..?

prodigga · Answer 5 · 2014-08-25T03:40:27-07:00

prodigga
2.6k

Aug '14

That looks like what I am after, thanks you two for helping out :)