使用Symfony2管理用户/组对象权限的最佳方法 [英] Best way to manage user/group object permissions with Symfony2
问题描述
我想听听有关优化架构以实现以下目标的最佳方法的一些想法。
I'd like to hear some thoughts on the best way to optimize our schema to achieve the following.
我们有许多对象/数据库条目(事件,场所等),其中一些具有子对象(意味着具有相同的权限-图像,元数据等)
We have a number of objects/db entries (events, venues, etc) some of which have children objects (meaning the same permissions apply - images, metas, etc)
用户可以属于组,因此活动,场所等父对象只能由一个用户对所有组进行编辑/查看。
Users can belong to groups so parent objects such as events, venues can be editable/viewable by all, group only, just one user.
当前,我们有一个用户,用户组和组表来管理用户和组。
Currently we have a user, usergroup and group table to manage users and groups.
每个父对象(例如场所)作为user_id的列和group_id。
Each parent object such as venues as a column for user_id and group_id.
工作正常(在symfony 1.4中),但杂乱无章-每个查询都必须进行复杂的联接才能获得可能的组等。找到更简单的方法。
Works fine (in symfony 1.4) but it's messy - every query for anything has to do complex joins to get possible groups etc... We'd like to find a simpler way.
我对Sf2 ACL组件感到非常兴奋,但是我被一遍又一遍地告诉我,我不应该使用它来查找用户的对象可以管理-而是我应该使用ACL来查明是否允许用户管理自己的对象(似乎不是很有用,但不管用什么)。
I was really excited about the Sf2 ACL component but I am being told over and over that I should not use it to find objects that a user can manage - rather that I should use ACL to find out if a user is allowed to manage his own objects (doesn't seem very useful but whatever).
我发现这样做的所有其他在线尝试都是说要从db中拉出所有对象,然后按ACL过滤-这对于妈妈和流行网站很可爱-不会发生一百万个对象。
All alternative attempts online that I found to do this say to pull all objects from db then filter by ACL - it's cute for a mom and pop site - not gonna happen with a million objects.
所以...我很想听听关于如何做到这一点的想法-我们也愿意为一些具有可扩展性的东西留给symfony ACL解决方案,但到目前为止我们还没有找到任何东西(php或ruby),尽管我们很乐意继续使用Sf,但仍对此开放。请注意,我们打算在需要的情况下使用MongoDB。
So... I would love to hear ideas as to how we could do this - we are also open to leaving symfony for something that has a scaleable ACL solution but have not found anything so far (php or ruby) so open to that as well though we would love to continue using Sf. Note that we intend to use MongoDB in case that matters.
推荐答案
据我了解,ACL用于授予访问权限针对特定场景的特定对象。您所描述的内容更加通用,但这仅与Symfony2概述的安全性有所不同(此人具有管理员角色,但仅针对特定组中包含的对象)。
From how I understand it, the ACL is used to give access to a specific object to a specific person for special scenarios. What you are describing is more generic, but it just deviates from what Symfony2 outlines for security (this person has an "admin" role, but only for the objects contained in a particular group).
ACL不应用于存储一堆东西,因为如果它太大,检查它会变得很昂贵。因此,默认情况下,在添加新用户时,甚至在组下添加新对象时,默认情况下都会在此处扔一堆东西(如果使用ACL,则每当您创建一个组时,就必须向该组中的每个人添加一个条目新对象),一段时间后将对性能造成负担...
ACLs should not be used to store a bunch of stuff, as checking it can get expensive if it gets too large. So, throwing a bunch of stuff in here by default when new users are added, or even when new objects are added under a group (if using the ACL, you would have to add an entry to each person in the group whenever you create a new object), is going to be taxing on performance after a while...
我目前正在研究将Symfony2用于网络应用程序的可能性,但我遇到了我们也有类似的需求,所以墙上也装有这种安全材料。我不是Symfony2的专家,但是从我的调查来看,您可能有几个选择:
I am currently researching the possibility of using Symfony2 for a web app, but I am hitting a wall with this security stuff too, as we have a similar need. I'm no expert on Symfony2, but from what I have looked in to, you might have a few options:
-
创建选民可以处理这个问题。投票者允许您检查授权令牌并根据您的处理方式返回是否授予访问权限。因此,您可以创建一个自定义的Voter来检查用户的组,并尝试使其与对象所在的组匹配。如果是这样,则返回ACCESS_GRANTED,否则返回ACCESS_DENIED,或者如果选民对当前检查无效,则返回ACCESS_ABSTAIN。编辑:这是选民Symfony2食谱的链接: http:// symfony。 com / doc / current / cookbook / security / voters.html
可能还想研究SecurityContext接口。这提供了 isGranted()方法,用于确定对对象的访问。如果选民还不够简单,那么您可能必须创建新的SecurityContext类。我认为这会涉及更多。
Might also want to research the SecurityContext interface. This provides the "isGranted()" method that deals with determining access to objects. If Voters are not simply enough, you might have to go the route of creating a new SecurityContext class; I think that this would be a bit more involved though.
就像我说的,我不是专业人士,没有解决方案;这些只是我正在研究以尝试解决(我感觉是)类似问题的一些方向。希望这会有所帮助。
Like I said, I am no pro, and don't have a solution; these are just some directions I am researching to try to solve (what I feel is) a similar problem. Hope this helps somewhat.
这篇关于使用Symfony2管理用户/组对象权限的最佳方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
