I have an application with multiple users with different roles.
Each users access to a resource is limited by the role he has.
Now if I am building an application to manage these resources how should I structure my application.
roles : admin, moderator, author
resources: articles
I see two options.
1: Create separate modules for each role with give access to resources for the role
eg:
admin/
-add/edit/delete article
-add/edit/delete user
author/
-add/edit/delete own articles
moderator/
-edit articles
2: Create separate modules for each resource and give access to them based on the role of the user accessing them.
eg:
articles/ add/edit/delete [manage operations depending on the user’s role ]
The language is PHP and I will be using Zend framework. My issue is not about access permissions since Zend’s ACL component takes care of it. My issue is with organization of the application.
For example if a new user is introduced, in the first case I will have to create a new module. But in the case of the second method, I will have to update each and every module.
It is obvious that first approach will involve more files and less complex logic
second approach will need more complex logic but I am simply not sure of which one to follow and looking for advice. Any help is appreciated.
Thanks.
I think general approach would be to keep access logic with accessed resource, not with accessing one.
In your example it would mean that if article wants to be edited only by specified users, then it’s article’s business to check who edits it.
All of the logic would be something like:
and if you ever want to add new user role or change behavior of existing ones, you only need to edit this one condition rather than create another pretty-much-the-same-yet-a-bit-different user module.