Symfony / sfDoctrineGuard条件许可 [英] Symfony/sfDoctrineGuard Conditional Permissions

问题描述

我正在考虑实施条件许可的最佳方法，即用户和团队是m到m。但是，每个团队还与用户表格有一个1到m的领导者关系。

I'm contemplating the best way to implement the conditional permissions i.e. Users and Teams are m-to-m. But each Team also has a 1-to-m "Leader" relationship with the User table as well.

为简单起见，假设我们有两个权限级别，用户和管理员。然后让我们说，只有某些团队管理任务即群组电子邮件只能由该小组的领导发送。

For simplicity sake, let's say we have two permission levels, "User" and "Admin". Then lets say, only certain Team administration task i.e. group emails, can only be sent by that team's leader.

目前，针对团队领导者查询的每个操作数据库检查当前用户是团队领导（记住用户可能会导致许多团队）。我个人不喜欢在这个地方看到if（$ user-> isLeader（$ team））。

At the moment, every action that is specific to team leaders queries the database to check it the current user is the team leader (keeping in mind a user may lead many Teams). I personally don't like seeing "if($user->isLeader($team))" all over the place.

我考虑设置一个团队名单用户在用户会话中登录（ala phpBB）或使用symfony过滤器执行相同操作。

I have considered setting a list of teams lead by a user in the user session on login (ala phpBB) or using a symfony filter to do the same.

但是，在第一种方法中，数据可能会变得过时在另一个用户可能会更改团队领导的情况下。第二种方法需要在每个页面加载一个额外的数据库查询。

However, in the first approach, the data can become stale in the case where another user may change a team's leader. The second approach requires an extra database query on every page load.

任何更好的想法？
注意：一个项目中有多个应用程序需要共享相同的权限模型（即后端和api）

Any better ideas? note: there are multiple app in the one project that need to share the same permission model (i.e. backend and api)

推荐答案

我看到2个选项：

覆盖 sfDoctrineGuardUser :: getGuardUser（）

Override sfDoctrineGuardUser::getGuardUser()

覆盖 sfDoctrineGuardUser 的getGuardUser方法，以获取用户的队伍。这需要一个额外的左连接，但会节省您以后的查询。

Override the getGuardUser method of sfDoctrineGuardUser to fetch the Teams when it get's the user. This requires an additional left join, but it saves you later queries.

/**
* Overridden getGuardUser to automatically fetch Teams with User
* @see plugins/sfDoctrineGuardPlugin/lib/user/sfGuardSecurityUser#getGuardUser()
*/
public function getGuardUser()
{
  if (!$this->user && $id = $this->getAttribute('user_id', null, 'sfGuardSecurityUser'))
  {
    $this->user = sfGuardUserTable::findUserByIdWithTeams($id); //write this query to fetch a user with his teams

    if (!$this->user)
    {
      // the user does not exist anymore in the database
      $this->signOut();

      throw new sfException('The user does not exist anymore in the database.');
    }
  }

  return $this->user;
}

然后，您可以通过过滤器或根据他们的团队添加用户的凭据覆盖 hasCredential 。

You can then add the user's credentials based on his teams via a filter or by overriding hasCredential.

缓存团队状态无效

如果您不想要任何其他查询，我看到的唯一附加选项是使用全局缓存。这将涉及以下内容：

If you don't want any additional queries, the only additional option I see is to use a global cache. This would involve the following:

• 在登录时缓存用户基于团队或团队的凭据


• 当一个团队领导被删除或添加时，请执行类似 apc_add（team_invalid_ [team_id]，true，[length_of_session]）


• 添加用户的凭据（通过第一个选项中描述的方法之一），检查缓存以查看它们是否无效。

这篇关于Symfony / sfDoctrineGuard条件许可的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！