How to implement “User can delete his own posts” on the “Role-based access control” model? [closed]

Question

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.

Closed 8 years ago.

I've read some articles about Role-based access control, but not clear enough to handle this case: how to implement "user can delete his own posts"?

For normal roles and permissions, when user do something, I can just check if the roles and permissions the user have, and determine if the user can do it.

But for "user can delete his own posts", I have to check if the posts belong to him or not. So I have to hard-code something, then it is out of the control of the control system.

Do I miss something and how to do it correctly?

Answer 1

It's not entirely clear to me what problem you are trying to solve. You always have to "hard-code" something since you need to define who can access what. Something is not out of the control system either if you decide it should be in, it really depends on your implementation.

For what you are trying to do, I would generally define an "owner" role then define an access such as:

"owner" can "delete" "resource"

So there has to be some programmatic part where you find out whether the user is indeed the owner or not. Usually, this can be done by associating each resource with, for example, an "ownerId" property. If userId == ownerId, then the role of the current user is "owner".

Answer 2

This requires support in the RBAC layer for "business rules". When such is available, it provides you the touch of dynamic decision that is needed. Basically, the biz rule is a piece of code that is being run every time the permission is checked. This code is static but expect parameters to be handed to it. Here's an example (PHP shown):

// This code expect two given parameters: $params['owner_id'] and $params['user_id']
if ($params['owner_id'] == $params['user_id']) {
  return true;
}
return false;
// This code assumes that returning true means 'permission granted' and returning 
// false means permission not granted

You didn't state your underlying technology. That could help you get more accurate answers.