Role Based Access Control

[mustafa-qamaruddin]

Hello,

Are the permissions assigned to the user? In a Role Based Access Control should not permissions be assigned to roles and users assigned to roles. Then, users are granted these permission through the roles. Or what is the point to assign both roles and permissions directly to the user?

A link explaining why it is so:
https://lostechies.com/derickbailey/2011/05/24/dont-do-role-based-authorization-checks-do-activity-based-checks/

Thank you,

[silverbux]

At the current approach yes permissions are assigned to roles and users are assigned to roles.
in terms of why assign both roles and permission to users, i guess its case to case basis
for instance you have an analytics.admin and content.writers.admin, there are cases like content.writers want to see from analytics which contents are popular but you dont want to give full permission to the entire analytics module.

but this havent been implemented yet, but with the way bican/roles been coded this is possible and its up to the coder how to implement this as well, it's just that the goal is to make it more flexible as possible.

[mustafa-qamaruddin]

Dear Alex,

Thank you for the clarification. It's indeed more flexible.

Regards,

[silverbux]

np 😉