[英]RBAC or ACL, for private content?
Trying to build a micro-CMS (of sorts), which needs to dish out content ie images only, for the moment, to person logged in via a username/password. 尝试构建一个微型CMS(各种类型),需要将内容(即图像)仅用于通过用户名/密码登录的人员。
Let's say there can be 10K such users, and each user has about 100-1K images in their own account, which no one else should be able to view. 假设可以有10K这样的用户,并且每个用户在他们自己的帐户中有大约100-1K图像,这是其他任何人都无法查看的。 What would be the recommended approach to building such a system ?
建立这样一个系统的建议方法是什么?
My instincts tell me that ACL is the right approach, since the "roles" in my case are shared-nothing, so I'd have to create as many roles as users. 我的直觉告诉我ACL是正确的方法,因为我的案例中的“角色”是无共享的,所以我必须创建与用户一样多的角色。 Am I headed the right way ?
我是朝正确的方向前进的吗?
A special kind of role could be an 'owner-role'. 一种特殊的角色可能是“所有者角色”。 This role applies when you own an object.
拥有对象时,此角色适用。 An idea for implementation in client code:
在客户端代码中实现的想法:
if ($owner->isAllowed('view', $image) { do stuff }
The RBAC system: RBAC系统:
// initiation of roles somewhere
$this->roles->add(new OwnerRole($user); }
// when called
$roles = $this->getRoles($user);
foreach ($roles as $role) {
if ($role->isAllowed($user, $action, $object)) { return true; }
}
This means the owner-role must be able to check who owns the object: 这意味着owner-role必须能够检查谁拥有该对象:
class OwnerRole implements Role
{
public function __construct(OwernChecker $ownerChecker) {
$this->owerChecker = $ownerChecker;
}
public function isAllowed(User $user, $action, $object) {
if ($this->ownerChecker->userOwnsObject($user, $object)) etc
}
}
The ownerChecker object can be given mappings of how to check a user owns an object. ownerChecker对象可以给出如何检查用户拥有对象的映射。
The following are recommended reading: 建议阅读以下内容:
http://www.xaprb.com/blog/2006/08/16/how-to-build-role-based-access-control-in-sql/ http://www.xaprb.com/blog/2006/08/16/how-to-build-role-based-access-control-in-sql/
http://www.sqlrecipes.com/database_design/fine_grained_role_based_access_control_rbac_system-3/ http://www.sqlrecipes.com/database_design/fine_grained_role_based_access_control_rbac_system-3/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.