Lithium & phpActiveRecord - are my ACL associations correct?

Question

I'm using Lithium with phpActiveRecord using li3_activerecord. It's been a few years since I got back into ORM's and associations and I'm a little confused with my current ACL setup.

Here are my tables and their associations, simplified for brevity:

USERS - $belongs_to role
-----
id
role_id
email


ROLES - $has_many permissions, resources through permissions, users
-----
id
title (eg: Admin, Member, Guest)


RESOURCES - $has_many roles, permissions
---------
id
controller (eg: Members, Products, Categories)
action (eg: Index, Delete, Edit)
procedure (eg: Email, Publish, PrivateMessage)


PERMISSIONS - $belongs_to role, resource
-----------
id
role_id
resource_id
allowed

I'm getting some unexpected results so I first want to make sure if the associations are correct. Basically, a user can only have one role. A resource is defined by the combination of a controller, action and any specific procedure that can be performed within the action. Permission is given to a user for a resource through the permissions table.

Do you see anything wrong with how I've written my ORM associations?

Answer 1

Basically, your model is correct. It is a very simple RBAC architecture that may fit your needs. Actually, you may want to look at this plugin here: https://github.com/tmaiaroto/li3_access It provides an RBAC-Adapter out of the box and some other nice addons.

If you provide us with more details and/or code on your current problems, we may help you out better.