Deadbolt 2: Controlling restrictions with DB settings, totally

Question

ellou'

I want or rather need to control restrictions for some actions and controllers via database settings, which is best way to do such job?

What is my goal: I need to create solution, where there will be lot of user groups (stored in DB) and they will be fully dynamic (created and removed from the admin panel). Permissions should be inherited to subgroups, so if user has role EditorsChief he can also perform actions allowed to all Editor. I cannot just annotate action/controller with @Restrict({"EditorsChief", "Editor"}) because they doesn't exist (are supposed to be created on the fly with admin panel).

My first thoughts are to use @Dynamic controller and grouping the restrictions with separate handlers which of course requiring to hardcode some of them. It's not quite bad - with some attention it's possible to set quite good schema, (ie. by naming handlers with convention: handlerControllerAction, handlerControllerOtherAction...

What are your thoughts ? Am I going in good direction ?

Answer 1

The best way to do this IMO is to use the Dynamic annotation, and give each one a distinct name that describes the function of the method. Since you have a finite number of annotated methods in your code, you can then store these names in a database (possibly caching them, as suggested above, for performance).

In the admin panel, you can then associate these names with groups, roles, or whatever, and perform the control based on that. This would be, off the top of my head, a one-to-many relationship in the DB.

Let me know if I need to explain this more completely.

Steve (author of Deadbolt)