How to implement “User can delete his own posts” on the “Role-based access control” model? [closed]

Answer 1

This requires support in the RBAC layer for "business rules". When such is available, it provides you the touch of dynamic decision that is needed. Basically, the biz rule is a piece of code that is being run every time the permission is checked. This code is static but expect parameters to be handed to it. Here's an example (PHP shown):

// This code expect two given parameters: $params['owner_id'] and $params['user_id']
if ($params['owner_id'] == $params['user_id']) {
  return true;
}
return false;
// This code assumes that returning true means 'permission granted' and returning 
// false means permission not granted

You didn't state your underlying technology. That could help you get more accurate answers.

Answer 2

It's not entirely clear to me what problem you are trying to solve. You always have to "hard-code" something since you need to define who can access what. Something is not out of the control system either if you decide it should be in, it really depends on your implementation.

For what you are trying to do, I would generally define an "owner" role then define an access such as:

"owner" can "delete" "resource"

So there has to be some programmatic part where you find out whether the user is indeed the owner or not. Usually, this can be done by associating each resource with, for example, an "ownerId" property. If userId == ownerId, then the role of the current user is "owner".