ACL's per user and per group.

I have a situation where we want to use CKFinder for our image management. However we want to be able to do some things and I need to know if it can do them.

1. We want to be able to have a "group admin" that will be able to see, and administer the folders of the users in his group. So he will be the top level and the folders directly underneath his will contain image folders, and folders for his group members. For example:

My_Username
    | -- ClipArt
    | -- Logos
    | -- User1
    |    | -- Images
    |    | -- Projects
    | -- User2
         | -- Images
         | -- Projects

Each user should be limited to his own directory when he logs in. I believe I've figured out how to do that, using resource types and adjusting the records.

2. The group admin should also be able to limit the ACL's for folders inside the users folders. So that when the users login they will be restricted based on what the group admin turned on or off.

Any help, even just pointing me in the right direction would be GREATLY appreciated.

Tue, 07/13/2010 - 15:15

wiktor

Joined: 16/07/2007

Posts: 1641

Re: ACL's per user and per group.

Definitely doable. Pobably using a different baseDir / baseUrl for each user and an administrator is the way to go.

There is just one thing to understand here: a configuration file might be different for each user depending on the session variables, so you're tottally free to specify different base url/folder and ACL settings depending on which user is logged (and/or to which group does he belong to).

Wiktor Walc
CTO, CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+

Tue, 07/13/2010 - 19:42

jswaringen

Joined: 08/07/2010

Posts: 15

Re: ACL's per user and per group.

Thanks Wiktor,

I was able to get the userid into the path variable. We set the base directory to the path above the users directory, then in the ResourceType set the name to the user's name and the URL and Directory to their userID. Here's the resource:

  
     $config['ResourceType'][] = Array(
      'name' => $auth['username'], 
      'url' => $baseUrl . $auth['user_id'],
      'directory' => $baseDir . $auth['user_id'],    
      'maxSize' => "50M",
      'allowedExtensions' => 'bmp,gif,jpeg,jpg,pdf,png,sxc,svg,ai,tif,tiff,',
      'deniedExtensions' => '');

We have run into a very strange problem though with ACL's. Whenever we set the role to "user" which is what the session variable is we get a "resource type" not found. Even though we're putting the $auth['username'] the same as in the resource. For example:

$config['AccessControl'][] = Array(
      'role' => 'user',
      'resourceType' => '*',
      'folder' => '/',

      'folderView' => true,
      'folderCreate' => true,
      'folderRename' => true,
      'folderDelete' => true,

      'fileView' => true,
      'fileUpload' => true,
      'fileRename' => true,
      'fileDelete' => true);

Part of what we're trying to do is setup config.php so that we can have one ACL which has rights to multiple resources. Then we can create them dynamically in a loop. So for each group_admin, they can see the resources of each user in their group, but not all resources for everybody. I hope that makes sense. I've tried putting the ACL's and resources in an "if" and "switch" statement and gotten nowhere. I think I just don't understand the relationship between the ACL's "role/resourceType/folder" and the Resources "name/url/directory". Any suggestions?