Context is an education administration system based on the Zend Framework. We implement RESTful MVC to handle almost all customer interactions. Relations between resources are displayed in the database using foreign keys, etc.
Example: a teacher creating a report for a specific student.
We currently have a role-based permission system that can be adapted to the level of an individual role (using, for example, teacher_5as a role name). Therefore, we can easily restrict access to an existing report (by creating permissions in the report model, which allows you to allow editing / posting rights only for the role of the tutor who created it). The problem arises at creation. To add a report, the user can send to / reports, say, the following data:
{ achievement: "4", performance: "5", student_id: "10" }
The problem is that teachers are only allowed to create new reports on a specific subset student_ids— those students they teach.
One approach would be to consider this as a validation problem in this area. The problem is that we want to protect ourselves from errors, and this is not easy to do with verification (the code should have known in advance that a special verification is expected in certain fields).
Another way is to somehow expand our permission system to completely granular (i.e. it would be allowed for each field in each model), and then expand our current permission system to respond to checks for parameterized permissions. Therefore, if we want to know if the current user has permission to add student_id 10 to the creation report, we will get something like
if ($acl->isAllowed($resource, $role, $action, $field, $value))
$resource , $ teacher_5, $action "post", $ student_id, $ 10. acl $resource.
, , , -, , , .