Home/ Questions/Q 6802461
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T19:13:34+00:00

Trying to build a micro-CMS (of sorts), which needs to dish out content i.e.

  • 0

Trying to build a micro-CMS (of sorts), which needs to dish out content i.e. images only, for the moment, to person logged in via a username/password.

Let’s say there can be 10K such users, and each user has about 100-1K images in their own account, which no one else should be able to view. What would be the recommended approach to building such a system ?

My instincts tell me that ACL is the right approach, since the “roles” in my case are shared-nothing, so I’d have to create as many roles as users. Am I headed the right way ?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    A special kind of role could be an ‘owner-role’. This role applies when you own an object. An idea for implementation in client code:

    if ($owner->isAllowed('view', $image) { do stuff }

    The RBAC system:

    // initiation of roles somewhere
$this->roles->add(new OwnerRole($user); }

// when called
$roles = $this->getRoles($user);
foreach ($roles as $role) {
     if ($role->isAllowed($user, $action, $object)) { return true; }
}

    This means the owner-role must be able to check who owns the object:

    class OwnerRole implements Role
{
    public function __construct(OwernChecker $ownerChecker) {
        $this->owerChecker = $ownerChecker;
    }
    public function isAllowed(User $user, $action, $object) {
        if ($this->ownerChecker->userOwnsObject($user, $object)) etc
    }
}

    The ownerChecker object can be given mappings of how to check a user owns an object.

    The following are recommended reading:
    http://www.xaprb.com/blog/2006/08/16/how-to-build-role-based-access-control-in-sql/
    http://www.sqlrecipes.com/database_design/fine_grained_role_based_access_control_rbac_system-3/

    • 0