roles icon indicating copy to clipboard operation
roles copied to clipboard

Published 20 hours ago verified publisher icon romanbican

Add role realms

Open kerbylav opened this issue 9 years ago • 4 comments

Permission inheritance is a great thing, but it is obviously incomplete and kind of broken.

Say, there is an application which has two separate sections: news and questions

And here are roles with levels:

news: news_reader (1), news_editor (2), news_moderator (3) questions: question_asker (1), question_moderator(2)

So it is obvious that user with role 'news_moderator' will have all permissions of question_moderator and question_asker roles which is simply not right.

To solve this issue it would be great to enhance roles with realm field so roles and inheritance could be grouped.

It will not break existing functionaltity. provided that realm field will have default value.

kerbylav avatar Aug 06 '15 09:08 kerbylav

@kerbylav I had the same issue a while back and ended up creating a new package based on this one.

https://github.com/DynamicCodeNinja/RBAC

Maybe that will help?

sniper7kills avatar Aug 07 '15 00:08 sniper7kills

@sniper7kills Unfortunately, while it is more flexible, it is way too much inefficient to my taste. Permission checking could be quite often operation, but child-parent tree implementation generates too many SQL queries per check. Same functionality could be reached by just adding extra 'realm' column to this package without extra SQL queries. Just build roles tree based on realm and level.

Also I have a suggestion to denying mechanism: in real world you much more often deny certain permissions rather than some whole roles. And even if you want to add some denying role... I suggest to add some 'denied' field to permission pivot tables and hence you can manage denial of permissions. And then you can even create whole denying roles if you need them.

kerbylav avatar Aug 07 '15 04:08 kerbylav

@kerbylav I see what you mean now. I didn't fully understand before; but you are absolutely right that is a much better way of handling it.

Question though; What if a user has two different roles with different realms? I assume we would have to make one query per realm the user was attached to?

sniper7kills avatar Aug 07 '15 23:08 sniper7kills

Third ticket I've come across where deny is mentioned. I think that'd be a great feature. Another way to implement it is similar to what Sentry has done in the past (and I'm sure others have as well.) Set the permission value to 1 or -1. This way a role can set the permission to 1. But then a user can have a permission to -1 thus overriding the role permission, and denying access.

0 or empty would be inherited. Meaning if a user has no permissions, they inherit all their permissions from whatever roles they belong to.

dustingraham avatar Oct 01 '15 19:10 dustingraham