如何实现“用户可以删除自己的帖子”?在“基于角色的访问控制”中,模型? [英] How to implement "User can delete his own posts" on the "Role-based access control" model?
问题描述
我已经阅读了一些有关
I've read some articles about Role-based access control, but not clear enough to handle this case: how to implement "user can delete his own posts"?
对于普通角色和权限,当用户执行某项操作时,我可以检查是否用户具有的角色和权限,并确定用户是否可以这样做。
For normal roles and permissions, when user do something, I can just check if the roles and permissions the user have, and determine if the user can do it.
但是对于用户可以删除自己的帖子,我必须检查这些帖子是否属于对他还是不对。因此,我必须对某些东西进行硬编码,然后它才失去控制系统的控制。
But for "user can delete his own posts", I have to check if the posts belong to him or not. So I have to hard-code something, then it is out of the control of the control system.
我会错过东西吗?如何正确地做到这一点?
Do I miss something and how to do it correctly?
推荐答案
对我来说,尚不清楚您要解决什么问题。您始终必须对某些内容进行硬编码,因为您需要定义哪些人可以访问哪些内容。如果您确定应该将某些东西放入控制系统中,那实际上取决于您的实现。
It's not entirely clear to me what problem you are trying to solve. You always have to "hard-code" something since you need to define who can access what. Something is not out of the control system either if you decide it should be in, it really depends on your implementation.
对于您想要做的事情,我通常会定义所有者角色,然后定义访问权限,例如:
For what you are trying to do, I would generally define an "owner" role then define an access such as:
"owner" can "delete" "resource"
因此必须有一些编程部分,您可以在其中确定用户是否确实是所有者。通常,这可以通过将每个资源与例如 ownerId属性相关联来完成。如果userId == ownerId,则当前用户的角色是所有者。
So there has to be some programmatic part where you find out whether the user is indeed the owner or not. Usually, this can be done by associating each resource with, for example, an "ownerId" property. If userId == ownerId, then the role of the current user is "owner".
这篇关于如何实现“用户可以删除自己的帖子”?在“基于角色的访问控制”中,模型?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
