Databases
StackOverflow2013
Postsdbo
POACL ordering and evaluation. what should take precedence Account or group, aco or parent aco
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POACL ordering and evaluation. what should take precedence Account or group, aco or parent aco
    text
    copied!<p>I am following this <a href="http://bakery.cakephp.org/articles/theshz/2006/11/28/user-permissions-and-cakephp-acl" rel="nofollow">cake php acl model</a> article to create my own acl implementation.</p> <p>I have understood the concepts of ACO ARO and ACO_ARO. I want to implement the Check method which will decide whether the aro has access to the aco. since there are ARO trees and ACO trees, how do i calculate the most effective permissions for a aco to a aro.</p> <p>Also i have found the below article which has check method implemented but that is in php <a href="http://bakery.cakephp.org/articles/unigue_/2008/03/12/toniacl-component-tutorial" rel="nofollow">acl implementation</a></p> <p>In short, what should take precedence Account or group, aco or parent aco.</p> <p>something like this <a href="http://docs.alfresco.com/4.0/index.jsp?topic=/com.alfresco.enterprise.doc/concepts/secur-acl.html" rel="nofollow">article</a></p> <p>update uptill now i have reached till here</p> <p>i have made a accessControlEntry class as follows</p> <pre><code>public class AccessControlEntry { public BsonObjectId AccessControlEntryId { get; set; } public BsonObjectId AccessRequestObjectId { get; set; } public BsonObjectId AccessControlObjectId { get; set; } public bool CanView { get; set; } public bool CanEdit { get; set; } public bool CanDelete { get; set; } public bool CanAdministrate { get; set; } } public bool Check(Usercontext usercontext, BsonObjectId acoId, string permission) { //aco id is accessControlObjectId like in cakephp acl Account acc = _usercontextService.GetAccountByUserContext(usercontext); //getting ACE eg X account has CanRead=true on Y object AccessControlEntry entry = _accessControlEntryRepository.GetAccessControlEntry(acc.AccountId, acoId); if (entry != null) { bool value = (bool)entry.GetType().GetProperty(permission).GetValue(entry, null); return value; } //account entry not found ...search in groups bool groupEntryFound = false; bool effectiveValue = false; Group[] groups = _usercontextService.GetGroupsForAccount(acc.AccountId); foreach (Group group in groups) { AccessControlEntry entryGroup = _accessControlEntryRepository.GetAccessControlEntry(group.GroupId, acoId); if (entryGroup != null) { groupEntryFound = true; effectiveValue |= (bool)entryGroup.GetType().GetProperty(permission).GetValue(entryGroup, null); } } //ACE found in group ..return most privilged value if (groupEntryFound) return effectiveValue; //entry not found for account nor for group..return false return false; } </code></pre> <p>I call the check method from other services ike this</p> <pre><code>Check(context,44556,"CanRead") </code></pre> <p>The check method looks for AccessControlEntry for the account, if it does not find any entry for account then it looks for groups.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload