1

I'm trying to implement an ACL and I would like your opinion about which could be the best (more performant) way to do it:

Is it better to deny access to everybody and grant permissions according to each user, or is it better to grant access for everybody by default, and remove permissions.

Trying to be more specific, imagine I have 3 Users: SuperAdmin, ClientAdmin, BasicMember.

The ClientAdmin admin has almost the same permissions the SuperAdmin, such as see every user registered in the system, but he can't make any changes, just 'read'.

At this moment, I created a function where I list all the permissions of the user and in each resource, I check the currentUserRole and the authorisation doing something like: 

$acl = $this->generateAcl($roleId, AclResourceBean::ENTER_DATA, 'read'));

so.. I'd like your opinion to know if it's better to check: if he has permission, showAction! or if he has no permission, hideAction. (ex: For the ClientAdmin, who has just read rights over the other users, should I hide the "edit" button, or is it better to always hide and, if he has no rights, show!

Praveen Kumar Purushothaman
  • 164,888
  • 24
  • 203
  • 252
sergioviniciuss
  • 4,596
  • 3
  • 36
  • 50

1 Answers1

5

I think it mostly depends on your application. But I typically tend to go for deny all and grant access. That way you're less likely to forget an access permission and have people where they shouldn't be.

Lee Davis
  • 4,685
  • 3
  • 28
  • 39
  • As a matter fact, I'm using zend_acl implementation to help me, and I'm still not sure, but I think it does exactly the opposite.. I noticed that If I change the status in the database to "0" instead of "1" at the column "is_allowed", I can deny access to a user, but if I dont do this, it doesnt consider the resource_id I'm trying to apply the rule and it grants access. – sergioviniciuss Jun 19 '12 at 11:07
  • I'm pretty sure have to explicitly "allow" access to a resource with Zend_Acl. If not, try doing "$acl->deny()" after you've added all your resources (passing no arguments). – Lee Davis Jun 19 '12 at 11:24
  • That's true @LeeDavis, I realised I was having a problem at the moment I was listing my id_resources, and then I checked and it's exactly the way u said. – sergioviniciuss Jun 19 '12 at 13:16