Zend_ACL : How to design Role based ACL for multiple small teams?

余生长醉 提交于 2020-01-06 05:45:30

问题


How role based ACL should be designed for :

Multiple teams, each team consisting of one manager and multiple members and working from one location. Each location could have multiple teams and there are multiple locations.

Manager of each team could only view/edit data for his team members. A person could also be member of multiple teams, independent of location.

Location_1
-Team_1            -Team_2
 -Manager           -Manager
  -Member_1          -Member_1
  -Member_2          -Member_2

Location_2
-Team_1            -Team_2
 -Manager           -Manager
  -Member_1          -Member_1
  -Member_2          -Member_2

My thought: I'm thinking of separating it in two parts. Part 1: There should be one group for each team. Maintain table of group membership in database. Part 2: Now, each user can have any role. And ACL could be designed based on those roles. But data would be fetched based on Part 1. this way new teams could be added without change in code. Is this a right way to go?


回答1:


Kind of a fairly chatty answer here, loose discussion only, no code, at least for now.

Your own model/data structure has to consider members, locations, and teams. I think you have described the relationships pretty clearly, so that should be straightforward. Thinking relationally: a table for team members, including managers; a table for locations; a table for teams with a foreign key into locations and a foreign key into members identifying the manager; a cross-ref table linking members to teams. I assume your member model will have methods for isManagerOfTeam($team), isMemberOfTeam($team), stuff like that. Pretty straightforward.

But much of this is just modeling the relationships, arguably independent of access-control.

For access-control, it appears that location is irrelevant; it's team membership and team management that are the key.

It also sounds like the data you are trying to access-control (what will eventually be the 'resource') will be tagged with a member id, identifying the "owning" member. So, the model for that data might have a method getMember() or even just getMemberId().

So I see some Acl rules that use a Zend_Acl_Assert_Interface instance to make dynamic examinations on the relationships between the role ($member) and those resources:

  1. My_Acl_Assertion_BelongsToSelf
  2. My_Acl_Assertion_BelongToMemberUnderManagement

Then the assert() methods could call the relevant model methods on the passed role and resource to check the team and management relationships.

Like I said, kind of a loose answer, but hopes it helps with some ideas.



来源:https://stackoverflow.com/questions/5925970/zend-acl-how-to-design-role-based-acl-for-multiple-small-teams

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!