PhpGACL Chinese manual (9) extended permission object

PhpGACL Chinese manual (9) extended permission object in phpGACL, you can add permissions to third parties by configuring the extended permission object (AXO object. We have learned how phpGACL combines the ARO object and the ACO object into an access control policy instruction. this is mainly used in the simple phpGACL Chinese manual (9) to expand the permission object.
Extended permission object

In phpGACL, you can add permissions to third parties by configuring the extension permission object (AXO object. We have learned how phpGACL combines the ARO object and the ACO object into an access control policy instruction, which is mainly used for simple permission requirements such:

Luke (ARO object) requires access to the "weapons room" (ACO object)

If this is what you need, the AXO object is completely optional!

However, since all ACO objects are the same, it is difficult to manage them if they exist many times. In this case, we can change the way we think about permission objects to make it easier to manage them.

The AXO object is the same as the ARO object in many aspects. There is an AXO tree (separated from the ARO tree) with its own group and AXO object. When processing an AXO object, you can view the AXO object in the form of an ACO object (that is, a thing that requires permission control), and change the way you view an ACO object, from "What requires permission control" to "required operations ".

View onlyAROAndACOObject method:

• ARO object: Permission required
• ACO object: what requires permission control

ViewARO,ACOAndAXOObject method:

• ARO object: Permission required
• ACO object: required action
• AXO object: things requiring permission control

For example:

A website administrator wants to manage the permissions to access the items in the website. An ARO tree composed of all user groups is shown below: Website)
Administrative-Administrators)
│ ├ ── Alice
│ └ ── Carol
└ ── Users (User)
Mongo── Bob
└ ── Alan

In the AXO tree, an operating system classification project is organized into: Projects)
─ ── Linux
│ ── SpamFilter2
│ └ ── AutoLinusWorshipper
└ ── Windows
├ ── PaperclipKiller
└ ── PopupStopper

For each project, actions are "watch" and "edit ". These are ACO objects.

Now we want Bob to have the "View" permission on all Linux projects. Therefore, we can add an ADP to connect Bob's ARO object with the observed ACO object and the Linux AXO object. So we can ask a question:

Bob (ARO object) requires "viewing" (ACO object) permission for a Linux project (AXO object ).

Remember that AXO is optional. if you do not specify an AXO object or match an ADP without an AXO object when calling the acl_check () function, this is allowed. However, if you call the acl_check () function without an AXO object, the system will fail if only the APD of the AXO object is used.

So once you specify an AXO object when calling the acl_check () function, the acl_check () function only searches for the list of ACLS containing the AXO object. If the AXO object is not specified, only the list without the AXO object will be searched. Based on the above theory, the system performance is also improved.