Is there a solution to centralize access control (to entities) based on
ownership and other user-document relations
Lets say i have a number of types of documents in my system. I want to
restrict access to them based on three aspects: user roles, ownership and
relevance of user to the object. So for example ROLE_DOCUMENTTYPE1READ
will grant user a right to read document (other roles such as
ROLE_DOCUMENTTYP1WRITE will grant RW rights). Presence of connection to
the document (if document has user in his 1:M related_users field) gives
user right to add comments to document. And if user is owner of the object
he can edit it entirely.
I can easily implement it in controller or even create a trait or
something like this, but it would be too ugly and also tedious because
there will be lots of entities and actions upon them, not only regular
CRUD, but also additional one's that change certain fields. I want to know
how usually such things should be done. Maybe there are some architectural
patterns that help in this situation? Right now, as i already said, i'm
going to check in every action if user is related to entity or if he is
even its owner or has said roles.
No comments:
Post a Comment