Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

How would I use ACL to lock users out of, say, certain forum categories but not others?

So I looked into the ACL stuff a little. I was trying to figure out the 'phalcon' way of doing things here. Acl seems to restrict access to certain 'types' of things, not 'instances' of those things. IE, you can define the permission for accessing the "forum categories" controller (mysite.com/categories), but I can't seem to figure out how I would restrict users to certain categories only (ie, guests can access mysite.com/categories/cars, but not mysite.com/categories/SecretAdminPosts).

How would I best go about this?



17.6k
edited Aug '14

You could do two types of areas (add both to the ACL): one of them for users with a determined role, and the other for the rest. Something like:

$publicArea = array(
    "categories" => array("cars")
);
$privateArea = array(
    "categories" => array("SecretAdminPosts")
);

foreach ($publicArea as $controller => $actions) {
    $acl->addResource(new Resource($controller), $actions);
}

foreach ($privateArea as $controller => $actions) {
    $acl->addResource(new Resource($controller), $actions);
}

foreach ($publicArea as $controller => $actions) {
    $acl->allow('user', $controller, $actions);
    $acl->allow('admin', $controller, $actions);
}

foreach ($privateArea as $controller => $actions) {
    $acl->allow('admin', $controller, $actions);
}

More info in http://docs.phalconphp.com/en/latest/reference/tutorial-invo.html#providing-an-acl-list



1.5k

Yes thats fine and works well for those 2 categories, but on many web software (forums, etc) the user/admin can create their own categories. I can't 'hard code' the permissions.

Think, for example, secret facebook groups. If you are granted to a facebook group you can view and post posts in the group. There can be lots of these groups. The only thing I can think of us creating an ACL user group ('user','admin','etc') for every single user created page by fetching every single group from the database, adding users to the correct group and then executing the rest of my PHP. Imagine if I had 100's of groups. This would not work very well because I'd have to 'construct' this 'dynamic' ACL list every time.



17.6k

Mmmm... maybe using an INI configuration file? You will load all controllers/actions/roles from there. The INI will be dynamically refreshed when some new "facebook group" would be created.



1.5k
edited Aug '14

That could be one giant INI file if the website was popular. Wouldn't it be getting loaded each time someone loads a page? Or does Phalcon load it into 'memory', because C magic ? Imagine loading an INI with thousands of lines in it, every time someone requests a page..?



82.3k
Accepted
answer


1.5k

That looks like what I am after, thanks you two for helping out :)