如何在ACL中构造资源树? [英] How should I structure my tree of resources in an ACL?
问题描述
我想使用PHP和Zend_ACL创建一个非常灵活的权限系统.我希望能够为某种类型的所有对象以及这些对象的实例分配权限.如果查询对象的特定实例,但在资源树中不存在该实例,则可以使用为通用"对象设置的权限.我的问题是,这需要嵌套,而且我想不出没有多重继承的方法,而Zend_ACL不支持多重继承.
Using PHP and Zend_ACL, I want to create an extremely flexible permissions system. I want to be able to assign permissions to all objects of a certain type, as well as to instances of those objects. If a specific instance of an object is queried and it doesn't exist in the resource tree then the permission set for the 'generic' object can be used. My problem is that this needs to nest and I can't figure out a way to do it without multiple inheritance, which Zend_ACL doesn't support.
一个例子就是这个.一个在线学习站点,包含学院,课程和事件.每个事件都属于一门课程,而每个课程都属于一个教员.我希望能够允许每个教师角色访问所有课程(以及通过继承的事件),但是特定的教师希望将其材料设为私有.因此,我使资源树的结构为每个教师分配一个资源节点,并使每门课程都属于该教职员工分支中的该教职员工分支,而不是从通用课程节点分支出来,后者为每门课程赋予了默认权限.使用新结构,如何应用我的通用课程权限?对于课程以下的事件,如果我只希望在父课程可读的情况下才使每个事件都可读,那么情况也是如此,但是我还想对每个事件应用默认的权限集,如何组织树以使每个事件都可以继承从它的父节点开始,它是没有多个继承的通用节点?
An example would be this. An online learning site with faculties, courses, and events. Each event belongs to a course, and each course to a faculty. I would like to be able to permit each faculty role to access all the courses (and events by inheritance), but a particular faculty wants their material private. So I make the structure of my resource tree have a resource node for each faculty and have each course belonging to that faculty branch from the faculty node instead of branching from the generic course node which gives each course it's default permissions. With the new structure how can I apply my generic course permissions? The same goes for events below courses, if I want each event to only be readable if the parent course is readable, but I also want to apply a default set of permissions to each event, how can I organize the tree such that each event inherits from its parent and it's generic node without multiple inheritance?
非常欢迎对其他系统有任何疑问或意见.
Any questions or comments or suggestions for a different system are very welcome.
推荐答案
您的多重继承问题完全在您的脑海中-除非当然可以在多个系中学习-等等.构建一个额外的父资源",以更改ACL基本的课程".
Your multiple inheritance problem is all in your head - unless of course can be in multiple faculties - etc. Build an additional "parent Resource" that can change ACL from the base "course".
您不希望课程直接继承教师权限;您可能希望某人能够编辑该教师的课程(助教或其他课程)-但是教师本身不是吗?
You don't want the course to inherit the faculty permissions directly; you'll probably want someone to be able to edit the courses for that faculty (a TA or something) - but not the faculty itself right?
学院,课程和活动.每个 事件属于课程,每个 课程设置
faculties, courses, and events. Each event belongs to a course, and each course to a faculty
Parent -> middleman -> child
Courses -> Courses:Faculty2 -> Courses:Faculty2:Course1
Events -> Events:Course1 -> Events:Course1:Event3
等
这将按教师为您提供课程组,但仍继承默认的课程权限.添加每个资源时,只需使其成为其组资源的父级,该组资源即整个资源的父级.
This will give you groups of Courses by faculty, but still inherit default course permissions. As you add each resource - just make it parent to its group resource, which parents to the overall resource.
如果您希望隐藏特定课程的所有事件,只需在Event:Course#上设置权限即可.
If you want all events for a particular course to be hidden - you just set a permission on Event:Course#
如果您希望能够对教师的所有事件设置权限,则可以在Event:Course1上方添加另一个中间人"父级,该父级也可以按教师对事件进行分组:Events:Faculty2:Course1:Event3
If you want to be able to set a permission on all events of a faculty, you can just add another "middleman" parent above Event:Course1 that groups Events by Faculty as well: Events:Faculty2:Course1:Event3
我发现一个权限系统中有9倍不需要(或希望造成混乱)多重继承.如果您的访问控制比简单的树还要复杂,则应重新评估您的访问控制.
I've found for a permissions system 9 times out of 10 you don't need (or want the confusion) of multiple inheritance. If your access control is more complicated than a simple tree, you should re-evaluate your access control.
这篇关于如何在ACL中构造资源树?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
