groupoffice icon indicating copy to clipboard operation
groupoffice copied to clipboard
verified publisher icon Intermesh

Has many ACL relation

Open michalcharvat opened this issue 4 years ago • 3 comments

Do you plan to add AclItems with 1:N relation? It is useful for entities which could be shared between ACL groups/users. Currently there is only belongs to relation to owner entity. It does mean I have to define same entities n-times to cover this usecase. For example:

You have Company A and Company B where core_user has access to Company A. You have Note Category A and B where Category A is available for Company A and B and Category B for Company B User have access to Notebook X Y Z. Notebooks are not related to Company A or B because you have to manage ACL inside company.

Currently you have to define Category A in Company A and also in Company B because only AclItemEntity is available With new feature you will have just single entity record with relation table.

Not sure about performance issues or any other problem in design.

Except this 1:N relation would be nice to define parent:child relation in any level. My current solution on getPermissionLevel is get parent acl which get maximum ACL from parent. So basically when user with access to one Member of the Company have MANAGE permissions defined by one company it has manage permissions to all member children entities.

ACL in GO are pretty simple. I remember times when I implemented abstraction layer on the top of PHP GACL library - https://github.com/poing/phpGACL - maybe time to integrate complex ACLs to GO too? ^^

michalcharvat avatar Feb 02 '22 14:02 michalcharvat

Regards to ACL I see one more issue - when you are assigning ACL entity to any entity via 1:N relation and you dont have access to the related entity, the related data are not visible. Also in chips there should be probably option see the record with RO permissions - so you shouldn’t be able remove it (also on backend have to be implemented logic which will keep missing relation alive)..

michalcharvat avatar Feb 02 '22 23:02 michalcharvat

Yes, we have considered this before but I'm afraid it's going to kill performance. Until now we were able to solve all problems with the simple ACL. What's your use case?

mschering avatar Feb 03 '22 07:02 mschering

@mschering It is realively simple case - split some entities by company (ACL entity). It could be possible via groups acls but it will add another complexity. You have acl entity which could be assigned via dropdown (chips) to other entities. Something like one note in two different notebooks.

michalcharvat avatar Feb 03 '22 20:02 michalcharvat