CakePHP w/ ACL: Best practice for many groups is routing?

Question

I'm working on an app that will have 6 ARO groups in order to cover the required permissions spectrum. It is really best practice to have *_add, *_edit, *_index, *_view, etc. methods for each? That seems like a bit of code overload and maintenance headache. The "cheapest" way I can imagine to handle it with routing is something like:

// core: edit
function _edit($id = null)
{
  // do stuff
}

function admin_edit($id = null)
{
  $this->_edit($id);
}

function manager_edit($id = null)
{
  $this->_edit($id);
}

function clerk_edit($id = null)
{
  $this->_edit($id);
}

/* ...and on and on... */

And toss in restrictions where necessary for, say, a group being allowed to only edit user's own items, or something similar.

Is there another recommended technique or is this really the best practice?

You may want to check this - http://stackoverflow.com/questions/54230/cakephp-acl-database-setup-aro-aco-structure — bancer, Jun 21 '10 at 22:08
I don't go in for 'best practice', but if I did, that wouldn't be one. — Leo, Jun 22 '10 at 08:08
Sometimes it's useful to filter users. I do this in the app_controller's beforeRender method to set some view variables. $usersIndexAllowed = $this->Acl->check($user,"users/index"); $configureAllowed = $this->Acl->check($user,"siteAdmins/configure"); $this->set(compact('usersIndexAllowed','configureAllowed')); — Leo, Jun 22 '10 at 08:16
Thanks for the comments so far. From the comments here and articles elsewhere, it seems this may be a classic TIMTOWTDI exercise with no real standard. — tomws, Jun 22 '10 at 14:10
BTW, I didn't mean I always filter in app_controller, just that I did then. Strike "I do this in the app_controller's beforeRender method to set some view variables." and replace it with "for example I once did this in the app_controller's beforeRender method to set some application wide view variables." — Leo, Jun 22 '10 at 15:38

score 0 · Answer 1 · answered Jun 22 '10 at 08:06

0

Presumably you want to offer different functionality for each group?

If that's not the case, there is no need for different CRUD methods for each group.

If, on the other hand, it is the case, look into switch statements within the CRUD methods to sort out who has what capability.

There is no need to have a method for each group.

answered Jun 22 '10 at 08:06

Leo

6,553
2
29
48

Not necessarily different functionality aside from "own" access. Consider this contrived example privilege structure where the privileges stack: clients: index own, view own, edit own clerks: index all, add managers: view all, edit all admins: full access I should have provided something like that in the original post for clarification. – tomws Jun 22 '10 at 14:22
Crap... just noticed that didn't format as expected. Trying again. Clients: index own, view own, edit own. Clerks: index all, add. Managers: view all, edit all. Admins: full access. – tomws Jun 22 '10 at 15:19
I get the idea [I don't think you can format comments]. I would do (and have done) it the way I suggest. Use ACL to filter method access, then further fine tune the access within that method feeding into a conditional - either switch or if depending on your preference. – Leo Jun 22 '10 at 15:37

CakePHP w/ ACL: Best practice for many groups is routing?

1 Answers1