3

ellou'

I want or rather need to control restrictions for some actions and controllers via database settings, which is best way to do such job?

What is my goal: I need to create solution, where there will be lot of user groups (stored in DB) and they will be fully dynamic (created and removed from the admin panel). Permissions should be inherited to subgroups, so if user has role EditorsChief he can also perform actions allowed to all Editor. I cannot just annotate action/controller with @Restrict({"EditorsChief", "Editor"}) because they doesn't exist (are supposed to be created on the fly with admin panel).

My first thoughts are to use @Dynamic controller and grouping the restrictions with separate handlers which of course requiring to hardcode some of them. It's not quite bad - with some attention it's possible to set quite good schema, (ie. by naming handlers with convention: handlerControllerAction, handlerControllerOtherAction...

What are your thoughts ? Am I going in good direction ?

wkl
  • 77,184
  • 16
  • 165
  • 176
biesior
  • 55,576
  • 10
  • 125
  • 182
  • sounds like Drupal, but way faster ;-) As for your question, new to Play, coming from Scalatra where each route has before & after interceptors, along with a beforeAll for the entire application. Play correlate is the global settings interface (I believe); maybe use that with a Redis key-value store for fast access to permissions model? You're going to have to do on-the-fly lookups one way or the other, just a matter of where you implement security, direct on controllers (easier to understand), or implicitly via global filter – virtualeyes May 26 '12 at 08:11
  • @virtualeyes, de facto [deadbolt](https://github.com/schaloner/deadbolt-2) is authorisation module, so I don't need to create solution. Rather this is a question to somebody who had experience with similar schema if he can share his insights :) I'm just checking it's possibilities and need to confirm if my idea goes in the correct way. BTW Redis could be good performance booster, however I do not expect such a huge traffic that the role resolving could be bottle-neck, however... hm... caching overal isn't a bad idea :) – biesior May 26 '12 at 14:08

1 Answers1

2

The best way to do this IMO is to use the Dynamic annotation, and give each one a distinct name that describes the function of the method. Since you have a finite number of annotated methods in your code, you can then store these names in a database (possibly caching them, as suggested above, for performance).

In the admin panel, you can then associate these names with groups, roles, or whatever, and perform the control based on that. This would be, off the top of my head, a one-to-many relationship in the DB.

Let me know if I need to explain this more completely.

Steve (author of Deadbolt)

Steve Chaloner
  • 8,162
  • 1
  • 22
  • 38
  • Steve, you didn't need to mention who you are :) Your suggestion is quite close to my thoughts, so after some tests with provided sample sets I have currently general vision and plan for implementation, but need to spend some time on other tasks, so I will ask another question in case of any problems. Thx – biesior May 31 '12 at 07:38