如何实现“用户可以删除自己的帖子"关于“基于角色的访问控制"模型? [英] How to implement "User can delete his own posts" on the "Role-based access control" model?

问题描述

我读过一些关于基于角色的访问控制的文章，但不清楚足以处理这种情况:如何实现用户可以删除自己的帖子"?

I've read some articles about Role-based access control, but not clear enough to handle this case: how to implement "user can delete his own posts"?

对于普通角色和权限，当用户做某事时，我可以检查用户是否拥有角​​色和权限，并确定用户是否可以做.

For normal roles and permissions, when user do something, I can just check if the roles and permissions the user have, and determine if the user can do it.

但是对于用户可以删除自己的帖子"，我必须检查帖子是否属于他.所以我必须硬编码一些东西，然后它就不受控制系统的控制了.

But for "user can delete his own posts", I have to check if the posts belong to him or not. So I have to hard-code something, then it is out of the control of the control system.

我是否遗漏了什么以及如何正确地做?

Do I miss something and how to do it correctly?

推荐答案

我不太清楚您要解决什么问题.您总是必须对某些内容进行硬编码"，因为您需要定义谁可以访问什么内容.如果您决定应该将其纳入控制系统，那么某些东西也不会脱离控制系统，这实际上取决于您的实施.

It's not entirely clear to me what problem you are trying to solve. You always have to "hard-code" something since you need to define who can access what. Something is not out of the control system either if you decide it should be in, it really depends on your implementation.

对于您要执行的操作，我通常会定义一个所有者"角色，然后定义一个访问权限，例如:

For what you are trying to do, I would generally define an "owner" role then define an access such as:

"owner" can "delete" "resource"

因此必须有一些程序化的部分，您可以在其中确定用户是否确实是所有者.通常，这可以通过将每个资源与例如ownerId"属性相关联来完成.如果userId == ownerId，则当前用户的角色为owner".

So there has to be some programmatic part where you find out whether the user is indeed the owner or not. Usually, this can be done by associating each resource with, for example, an "ownerId" property. If userId == ownerId, then the role of the current user is "owner".

这篇关于如何实现“用户可以删除自己的帖子"关于“基于角色的访问控制"模型?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！