CakePHP ACL confusion, how do I apply ACLs to objects, not actions?

About

Asked 8/2, 2010 at 7:5 Answered 9/2, 2010 at 9:26

Can anyone suggest a scalable design pattern for implementing access control on Photos and Albums, each with individual privacy settings (i.e. owner, group member, public)?

I'm using CakePHP, and the examples I have read on the ACL component seem to control access to controller/actions, not objects themselves. It seems to get out of hand when I try to track

/C/R/U/D privileges
per controller-action
per privacy setting (i.e. owner, group member, public)
per Album, Photo, etc.

Especially when you might have 1000s of photos per Album, and Photos habtm Albums. Am I right or am I missing something completely?

Can someone add some pseudo code to help me understand how to tackle this problem? Or point me in the right direction Because I know it's been done before on sites like Flickr.

tia.

Repellent answered 8/2, 2010 at 7:5 Comment(2)

You're right in thinking the ACL component won't do what you want, at least not AFAIK, out of the box. I also think that doing record level Access Control is probably the biggest weakness (that, and performance) facing CakePHP, so I'm really curious to see what solutions people post here. In short, this isn't an easy question. – Calutron 8/2, 2010 at 15:57

Thanks Travis. give my question a bump so it gets more visibility. My other approach is possibly to use a key-value DB like REDIS for record level ACL, but I need to find a way to integrate that with MySQL. – Repellent 8/2, 2010 at 23:10

Actually CakePHP's ACL is capable for row access. Please refer to http://aidanlister.com/2009/05/implementing-row-level-access-control-in-cakephp/. But personally i dun like this approach. I may look into the Permissionable Behavior of jmcneese ttp://jmcneese.wordpress.com/2010/01/28/rmac-is-dead-long-live-rmac/ for my next project.

Hope the 2 links above help you and willing to see how cake community deal with row-access efficiency :)

Earthling answered 9/2, 2010 at 9:26 Comment(1)

So it does do row locking, but it looks rather hackish and really complex. I'd take one or the other I think, not so much both at once. I'll also look into the permissionable behavior, thanks for the links! – Calutron 9/2, 2010 at 19:10

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags