Most of the authorization schemes appear to aim to allow authorization
based on "type", so that a certain group of users are allowed to CRUD a
specific type of resource, eg. Albums or Artists etc. If a user has
access to "albums/update" then the user can change any album. I have
looked at the two available plugins for authorization, ACL and Roles,
and both seem to support this scheme.
I would like to have authorization per individual resource. A comparable
example would be a member only being allowed to update her own member
information. If I would implement something like this, I think I'd add a
table to the database for handling authorization:
The table would then be consulted whenever a resource is accessed, and
the lookup would be put in a central place, if possible. I've
implemented a ":Restricted" action which handles authentication, and
that is where I would try to add the authorization as well. One of the
tricky things would be to have a generic way to create the resource
identifier from request input.
Does anyone know if this be implemented using ACL or Roles, and what are
the principles for doing so?
If not, what is your experience in solving this problem?