[eluser]PhilTem[/eluser]
I personally set up my RBACL the way that all permissions for a certain group are checked in the __construct() of the corresponding base-controller or the controller itself. Thus
Code:
<?php
ICF_Controller extends MX_Controller {}
class Public_Controller extends ICF_Controller {}
class Authenticated_Controller extends Public_Controller{}
class Admin_Controller extends Authenticated_Controller {
public function __construct()
{
$this->acl->restrict('admin');
}
}
class Users extends Admin_Controller {
public function __construct()
{
$this->acl->restrict('admin.users');
}
public function create()
{
$this->acl->restrict('admin.users.create');
}
}
This way I have finely granulated power of the resources accessed and the user gets an error message shown as soon as the first permission is denied.
I was thinking of not doing this and putting the permission logic in Acl::_construct() so that it takes $uri->uri_string(); and replaces slashes with dots to get the resource node. But then I thought, what if the URI is routed or does have nothing to do with the actual resource?
That's why I put all the restrict()-calls inside every method as the very first line. Might not be the DRY'est approach, but so far I don't have any other approach in mind... Oh wait, you could define a Controller-property that maps all the methods to its respective resource and then check it in the __construct() method automatically (or inside the _remap()-method()). But that just came to my mind, don't know if this is quickly implementable or fail-safe.
To briefly explain how my RBACL works:
There are certain resources mapped to roles. Users are assigned these roles and every role has "explicitly denied" or "explicitly allowed" permissions. By default, resources that are not set are denied. But that only applies to top-level resources (those that have one word and no dot inbetween - a dot is my way of getting resource levels). Now, the ACL checks for a permission to 'admin.users.create' which is not explicitly set. It strips of the '.create' part and looks for a permission 'admin.users'. Which is not explicitly set thus strips of '.users'. And finally tries 'admin'. This is either set (with denied or allowed) or, if it's not set, get's denied.
I guess, what your code is missing, is the recursive search for permissions i.e., going from more specific permissions to less specific permissions...
Did that solve your problem or help you in any way?