acl implementation - which way is more performant: deny acces for all?

Question

I'm trying to implement an ACL and I would like your opinion about which could be the best (more performant) way to do it:

Is it better to deny access to everybody and grant permissions according to each user, or is it better to grant access for everybody by default, and remove permissions.

Trying to be more specific, imagine I have 3 Users: SuperAdmin, ClientAdmin, BasicMember.

The ClientAdmin admin has almost the same permissions the SuperAdmin, such as see every user registered in the system, but he can't make any changes, just 'read'.

At this moment, I created a function where I list all the permissions of the user and in each resource, I check the currentUserRole and the authorisation doing something like:

$acl = $this->generateAcl($roleId, AclResourceBean::ENTER_DATA, 'read'));

so.. I'd like your opinion to know if it's better to check: if he has permission, showAction! or if he has no permission, hideAction. (ex: For the ClientAdmin, who has just read rights over the other users, should I hide the "edit" button, or is it better to always hide and, if he has no rights, show!

Answer 1

I think it mostly depends on your application. But I typically tend to go for deny all and grant access. That way you're less likely to forget an access permission and have people where they shouldn't be.