tor, 27,.07.2006 kl. 13.10 +0200, skrev sabin:
im trying to implement a role based authentication in my project, but im
writing too many conditions, and i think thats not the right way to
I’ve been writing a Roles/ACL auth system based on auth_generator, you
might want to check it out. http://penso.info/code/auth_generator
It’s GPL so you’ll have to release any enhancements.
I replaced the ACL system in auth_generator with the ACL stuff from
Then I added the possibility to base permissions on the object_id, real
fancy combination if I need to be humble.
It sucks, though. I’ve got thousands and thousands of objects in the
database, so adding permissions based on every object_id is only causing
the browser to not log in the user. With 8 methods in a ModelController
you’ll have eight permission strings to add in the cookie, per object.
I can think of three ways to go on.
- Permission hash in a separate table
- Permission as strings instead of objects
- Drop ACL
Having a permission hash means storing the hash in the cookie, then look
up in the database whether the current action is allowed for this object
and this user.
Strings means storing permissions one permission object per action and a
string with relevant object_ids or “any” for free usage of the given
action on any object.
Dropping ACL is tempting and challenging as we’d need to store a lot
more business logic on the database level. I really think dropping ACL
is the best way. Simplicity is your friend.
propell, mopo as
http://runar.mopo.no | +47 971 77 229 | Boks 808, 8001 BodÃ¸, NORWAY