hoaproject/Acl

allow/deny on service + permission combination

rauwebieten opened this issue · 1 comments

rauwebieten commented

I'm having trouble specifying permissions. It seems like this is not implemented, unless I missed something.

I have this code:

$acl = new Acl();

$administrators = new Group('administrators');
$acl->addGroup($administrators);

$peter = new User(1, 'Peter');
$administrators->addUsers([$peter]);

$service_a  = new Service('service_a');
$service_b  = new Service('service_b');

$administrators->addServices([$service_a, $service_b]);

$read = new Permission('read');
$write = new Permission('write');

$acl->allow($administrators,[$read, $write]); // ??

How can I give the group view-permission on service-A, but deny view-permission on service-B?
Imagine I cannot delete the service from the group, because I need it for other permissions.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

Hywan commented

Hello :-),

So you have:

  • One group: Administrators,
  • One user: Peter,
  • Two services: Service A, and Service B,
  • Two permissions: Read, and Write.

The group Administrators has one user: Peter, and two shared services: Service A, and Service B.

Permissions are set on groups, not on users or services. Currently there is 2 permisssions: Read, and Write. What you would like to do is to add a new permission: View, only for Service A, not for Service B. Is that right? This is not possible.

Instead of setting services on the group, maybe you can move them on the users, so that they are not shared, but owned.

Something like:

// Peter owns the Service A. The service is not shared.
$peter->addServices([$service_a]);

// Create the View permission and set it on the group.
$view = new Permission('view');
$acl->allow($administrators, [$view]);

Then you can query something like:

$acl->isAllowed($peter, $view, $service_a); // expect `true`
$acl->isAllowed($other_user, $view, $service_a); // expect `false`

If you woud like to dynamically add the service on the user if it belongs to a specific group, you can do:

if ($administrators->userExists($peter)) {
    $peter->addServices([$service_a]);
}

Thoughts?