Naming of Permission objects
Phpgacl The system uniquely identifies each permission object with a double keyword combination ( ARO , AXO or ACO object), and it is a permission object type.
It uniquely identifies a permission object in the form of a tuple (a permission object type, a section, a value).
the first tuple element is a Permission object type ( ARO , AXO or ACO ).
The second element of a tuple is called a section, which is a string of generic classes of user-defined named Permission objects. Multiple-permission objects can share the same section name, the section name is short but descriptive, and it is often used in a selection box in the user interface, so don't define it too long.
A section is saved in a unit name space and is not nested as a group. section does nothing in the group/Aro/axo tree, it just helps maintain a large number of permission objects.
The third element of a tuple is called a value, which is a user-defined permission object name, and the value cannot contain a space (while a section can).
The sections and values are case-sensitive.
another: Why use a string to identify a permission object instead of an integer that looks faster, because for legibility, the following example shows
Acl_check (' system ', ' login ', ' users ', ' John_doe ');
than with :
Acl_check (10, 21004, 15, 20304);
Easier to understand.
because the context can be very clear about the type of permission object we specify, so phpgacl (and this document) removes the permission object type when the permission object name is displayed and only takes " " section > Value " format. In API requires that the "section" and "value" of the permission object must be specified separately in the function arguments (the permission object type is usually not clearly specified in the parameter description)
For example ACO Section for objects ; value
For example ARO The section of the object > value "
" people >john_smith "
" people >cathy_jones "
" Host >sandbox.something.com "
For example API Use of:
Acl_check (Aco_section, Aco_value, Aro_section, Aro_value);
Acl_check (' Floors ', ' 2nd ', ' People ', ' john_smith ');
Valid naming restriction instances:
Illegal naming restriction instances:
Add a section
before you can add a new permission object, its section name must already be added. To add a new section name, you can use the add_object_section () function.
briefly describe the usefulness of this section, such as " levels in building " )
section name (such as " floor" )
Can be an arbitrary value that represents the order in which the section appears on the user interface
Indicates whether the section appears in the user interface (if TRUE means it will be hidden).
Permission Object Type ( "aco", "ARO" or "Axo" )
Han created three sections for the ARO object, namely "human", "Alien" and "robot". Let's use their full names to list the ARO objects. default: Deny all
Millennium Falcon passenger
├─ Crew [Allow: All]
│├─ " Human > Han"
│├─ " Alien > Chewie"[rejection: Engine compartment]
│└─ " Human > Lando"
├─ passengers [Allowed: Lounge]
│├─ Jedi Warrior . [Permissible: Cab]
││├─ " Human > Obi-wan"
││└─ " Human > Luke"[allow: Weapons room]
│├─ " Robot > R2D2"[allow: Engine compartment]
│└─ " Robot> C3PO"
└- Engineer [allow: Engine room, weapons room]
├─ " Human > Han"
├─ " Robot> R2D2"
└─ " Alien > Hontook"
section is just a way of classifying permission objects to make the user interface more friendly, Acl_check () The code is more readable. It does not affect The permissions of the Phpgacl to determine the object. It cannot be nested (so it cannot create a "man" subsection in the "Human" section, and you will have to create a section like "Humans-male" )
Multi-purpose
you may need to use Phpgacl to achieve a number of different purposes. For example, you might want to restrict access to a Web page for a user, and also want to restrict access to your server by a remote host. There is no connection between the two tasks.
Phpgacl can be handled in three different ways.
You can create a new Phpgacl class is passed by $gacl _options array to implement options 1 (The selected 2 can be implemented as well), the array allows you to specify a prefix for the database and table sole name.
$gacl _options = Array (
' Db_table_prefix ' = ' gacl_ ',
' Db_type ' = ' mysql ',
' Db_host ' = ' host1 ',
' Db_user ' = ' user ',
' Db_password ' = ' passwd ',
' Db_name ' = ' gacl ');
?
$gacl _host1 = new GaCl ($gacl _options);
in order to implement options 3, you have to be very careful, because Phpgacl It is not clear that you have a relationship between different tasks, so it is possible to generate invalid permission policies.
For example:Hanwant to limit the connection between other ships and the computer of his spaceship, and also to restrict access to different rooms. In order to do this, he may want to add "Lukeof theXfighter "as a long-range spaceshipAROobject (You can also add other aircraft and use the spacecraft's computer asACOobject). Because allAROobjects are in the sameAROtree, so create aAPDIt's like "spaceship.> Lukeof theXtype Fighter "[allow: "Room>Engine room "]The same, there is no point at all! To help deal with errors like this, a good section name can make a permission object like this clearer. This is obvious to any administrator: it does not make sense to assign a single spaceship access to a room's privileges.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
