Originally I wanted it to do this, and have given it a lot of thought, but I don't see a way to do this that would be acceptable (performance, API and design-wise).josh wrote:As in, pass the post's status to the ACL, the ACL would handle checking if it is "allowed" for a given status ( rather then getting back an object you have to "poke at" further to get a simple true/false )
So you would have a 4th optional "context" parameter that could be anything ( a post's status, the request method GET vs POST, etc.. any "context" you needed to be conditional )... these contexts would work like a second "permission" ( the resource, role, permission, AND context would all have to match )
I think this is more or less what ZF wants assertions to do. The result is that you're almost building an access control within the access control.
Actually what I currently have is not far from it. I see the connection but don't know how to implement access on object(types) contained by other object(types). I'll explain with an example in pseudo-code. What I have now is something like this:
Code: Select all
create a type 'post'
allow role action 'view' on type 'post' // the rule
create a type 'draft', which is type 'post' with property 'status' = 'draft'
deny role action 'view' on type 'draft' // other ruleCode: Select all
allow role action 'view' on type ... ?
allow role action 'view' on object ... ?