General/Phalcon - ACL and Database Storage

Question

Background

I'm currently working on a Phalcon application. The application itself is relatively simple, but I am using it as a tool to learn about some more advanced concepts and techniques.

I've ditched my homebrew ACL (access-control list) solution, and plumped for the ACL provided in Phalcon.

This question is more conceptual, as I would feel confident in implementing any solution.

Question

The question is this: "Where do you store the information on your ACL?"

Possible Solution

I currently have a static array, that I fill up with the various actions and the access level of them.

I feel that this is slightly limiting, and would potentially be better served, through a database storage.

I could use a bitmask, to indicate the user roles that are allowed access to the various resources, or maybe a minimum level.

The other problem I have, is that it is hierarchical (to an extent) but multiple roles could exist - with slightly different permissions.

eg. 
Admin has all roles of captain, secretary and user.
Captain has all the roles of a user and the ability to pick players.
Secretary has all the roles of a user and contact the opponent's secretary.
Captain and secretary both have the ability to email players.

Imagine it as somewhat of a Venn diagram of permissions, if you will.

Caching

The next issue, would be that the accessing of the database every time, would add a performance overhead, so I guess caching it would make sense.

The issue would then come, how to invalidate the cache (there are only two hard things in computer science...)... maybe there could be a database field that had an md5 hash of the ACL, which was checked against on page-load, to see if it needs to reload the ACL information.

Answer 1

Yes @TheMmonarch you question is really great and very frequently asked by the phalcon user. Even I were looking for the same kind of solution that i do not find any where yet. I tried to write some custom code to make the ACL dynamic using the DB, but still struggling with it.

I were surfing lot of sites and blog then finally I come across with such DB structure which could be helpful to build such kind of system.

CREATE TABLE `roles` (
  `name` VARCHAR(32) NOT NULL,
  `description` TEXT,
  PRIMARY KEY(`name`)
);
CREATE TABLE `access_list` (
  `roles_name` VARCHAR(32) NOT NULL,
  `resources_name` VARCHAR(32) NOT NULL,
  `access_name` VARCHAR(32) NOT NULL,
  `allowed` INT(3) NOT NULL,
  PRIMARY KEY(`roles_name`, `resources_name`, `access_name`)
);

CREATE TABLE `resources` (
  `name` VARCHAR(32) NOT NULL,
  `description` TEXT,
  PRIMARY KEY(`name`)
);

CREATE TABLE `resources_accesses` (
  `resources_name` VARCHAR(32) NOT NULL,
  `access_name` VARCHAR(32) NOT NULL,
  PRIMARY KEY(`resources_name`, `access_name`)
);

CREATE TABLE `roles_inherits` (
  `roles_name` VARCHAR(32) NOT NULL,
  `roles_inherit` VARCHAR(32) NOT NULL,
  PRIMARY KEY(roles_name, roles_inherit)
);

Any suggestion or change would be appreciate!!!