我应该如何在 ACL 中构建我的资源树?

2021-12-29 00:00:00 permissions acl php zend-framework zend-acl

使用 PHP 和 Zend_ACL,我想创建一个极其灵活的权限系统.我希望能够为特定类型的所有对象以及这些对象的实例分配权限.如果查询对象的特定实例并且它不存在于资源树中,则可以使用通用"对象的权限集.我的问题是这需要嵌套,如果没有 Zend_ACL 不支持的多重继承,我无法找到一种方法.

Using PHP and Zend_ACL, I want to create an extremely flexible permissions system. I want to be able to assign permissions to all objects of a certain type, as well as to instances of those objects. If a specific instance of an object is queried and it doesn't exist in the resource tree then the permission set for the 'generic' object can be used. My problem is that this needs to nest and I can't figure out a way to do it without multiple inheritance, which Zend_ACL doesn't support.

一个例子就是这个.一个包含学院、课程和活动的在线学习网站.每个事件都属于一门课程,而每门课程都属于一个教师.我希望能够允许每个教员角色访问所有课程(和继承的事件),但特定教员希望他们的材料是私有的.所以我让我的资源树的结构为每个教员都有一个资源节点,并且从教员节点拥有属于该教员分支的每门课程,而不是从赋予每个课程默认权限的通用课程节点分支.使用新结构如何应用我的通用课程权限?课程下方的事件也是如此,如果我希望每个事件仅在父课程可读时才可读,但我还想对每个事件应用一组默认权限,我该如何组织树以便每个事件继承来自它的父节点,它是没有多重继承的通用节点?

An example would be this. An online learning site with faculties, courses, and events. Each event belongs to a course, and each course to a faculty. I would like to be able to permit each faculty role to access all the courses (and events by inheritance), but a particular faculty wants their material private. So I make the structure of my resource tree have a resource node for each faculty and have each course belonging to that faculty branch from the faculty node instead of branching from the generic course node which gives each course it's default permissions. With the new structure how can I apply my generic course permissions? The same goes for events below courses, if I want each event to only be readable if the parent course is readable, but I also want to apply a default set of permissions to each event, how can I organize the tree such that each event inherits from its parent and it's generic node without multiple inheritance?

非常欢迎对不同系统提出任何问题或意见或建议.

Any questions or comments or suggestions for a different system are very welcome.

推荐答案

你的多重继承问题全在你的脑海里——除非当然可以在多个院系——等等.构建一个额外的父资源",可以从基础课程".

Your multiple inheritance problem is all in your head - unless of course can be in multiple faculties - etc. Build an additional "parent Resource" that can change ACL from the base "course".

您不希望课程直接继承教师权限;您可能希望有人能够为该教员(助教或其他)编辑课程 - 但不是教员本身,对吗?

You don't want the course to inherit the faculty permissions directly; you'll probably want someone to be able to edit the courses for that faculty (a TA or something) - but not the faculty itself right?

学院、课程和活动.每个事件属于一个课程,每个教授课程

faculties, courses, and events. Each event belongs to a course, and each course to a faculty

Parent -> middleman -> child
Courses -> Courses:Faculty2 -> Courses:Faculty2:Course1 
Events -> Events:Course1 -> Events:Course1:Event3

这将为您提供按教员划分的课程组,但仍会继承默认课程权限.添加每个资源时 - 只需将其设为其组资源的父级,而该组资源是整个资源的父级.

This will give you groups of Courses by faculty, but still inherit default course permissions. As you add each resource - just make it parent to its group resource, which parents to the overall resource.

如果您希望隐藏特定课程的所有活动 - 您只需设置 Event:Course# 的权限

If you want all events for a particular course to be hidden - you just set a permission on Event:Course#

如果您希望能够为教员的所有活动设置权限,您可以在 Event:Course1 上方添加另一个中间人"父级,该父级也按教员分组事件:Events:Faculty2:Course1:事件3

If you want to be able to set a permission on all events of a faculty, you can just add another "middleman" parent above Event:Course1 that groups Events by Faculty as well: Events:Faculty2:Course1:Event3

我发现 10 次中有 9 次权限系统不需要(或想要混淆)多重继承.如果您的访问控制比简单的树更复杂,您应该重新评估您的访问控制.

I've found for a permissions system 9 times out of 10 you don't need (or want the confusion) of multiple inheritance. If your access control is more complicated than a simple tree, you should re-evaluate your access control.

相关文章