Geek Answers Handbook

RBAC or ACL for private content?

An attempt to create a micro-CMS (from the genus), in which at the moment it is necessary to download content, that is, images, only to a person registered via username / password.

Say there may be 10K of these users, and each user has about 100-1K images in their own account, which no one else can view. What would be the recommended approach to building such a system?

My instincts tell me that ACLs are the right approach, since the "roles" in my case are common - nothing, so I would have to create as many roles as there are users. Am I right?

+5
source share
1 answer

A special kind of role may be the "role of the owner." This role applies when you own an object. Idea for implementation in client code:

if ($owner->isAllowed('view', $image) { do stuff }

RBAC system:

// initiation of roles somewhere
$this->roles->add(new OwnerRole($user); }

// when called
$roles = $this->getRoles($user);
foreach ($roles as $role) {
     if ($role->isAllowed($user, $action, $object)) { return true; }
}

This means that the owner role should be able to verify who owns the object:

class OwnerRole implements Role
{
    public function __construct(OwernChecker $ownerChecker) {
        $this->owerChecker = $ownerChecker;
    }
    public function isAllowed(User $user, $action, $object) {
        if ($this->ownerChecker->userOwnsObject($user, $object)) etc
    }
}

The ownerChecker object may be given mappings of how to verify that the user owns the object.

The following are recommended data:
http://www.xaprb.com/blog/2006/08/16/how-to-build-role-based-access-control-in-sql/
http://www.sqlrecipes.com / database_design / fine_grained_role_based_access_control_rbac_system-3 /

+4
source

More articles:


All Articles