•  23-06-2023
  •  | 
  •  

Domanda

The current ACL of phalcon is managing access between roles, resources and its actions. For example, if we want to allow specific role into specific resource :

$acl->isAllowed("Guests", "Customers", "search");

This check if role called "Guest" can access "Customers" controller for action "search". In my scenario, we also have "Role Level", for example, Admin can access all modules and controllers, but, to modify the contents, an Admin should have minimum Role Level 2. To gain access to modifying website configuration, an Admin should have Role Level 3.

In addition to role level, we also want to assign which models a role can have access to. For example, Mr. A and Mr. B both are Admins and have same levels. But, we decided only to allow Mr. A to access "Accounts" models while Mr. B can have access to "Accounts", "Personnel", etc.

Here are my questions :

  1. Does phalcon ACL support roles and levels ? Or, should I just create the custom validation?

  2. What is the benefit of using ACL compared to creating similar validation functions?

  3. If I have to create custom validation, where should I put it ? In the controller, or in the dispatcher ?

Thx

È stato utile?

Soluzione

At the moment Phalcon does not support Role based ACLs. You will have to do something yourself to cover this. The feature has however been asked for and it is in the long list of NFRs for the project :)

The way I would go about it is use a combination of Phalcon functionality and custom programming. I would add everything to a base controller in the beforeExecuteRoute function so that whenever something is to be dispatched ACL is checked.

In a similar project to yours, I created two tables in my database:

Groups
------
group_id     <- 2
group_name   <- Admins

and have an ACL table that maps all actions to a group like so

ACL
---
group_id        <- 2
acl_controller  <- Customers
acl_action      <- Search

You can easily extend this to have a collection of controller/action pairs to map to a Role. From there you can just create a simple function that would load the role based resources.

It is a bit of a workaround but it works.

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top