Website -> Access Control on data on a website

Hello everybody,

I'm building a web-portal where many admins work on. There is - for example - a web-form to manage customer-data and all the admins shall basically have access to this form, but do not have access to all the data. So depending on their rights, the data is filtered.

My idea is to replicate the website as a structure of nodes (which gives a kind of tree-structure) and at the end of each branch of the tree there is one more nodes, representing a limited part of the data.

I then create a structure of nodes representing the roles and grant them access to these limited parts of the data. The admins will get a role assigned.

I think, this is straight forward so far.

What I would like to do now, is to assign a {filter}-property (basically a string with a WHERE-clause) to the (role)-nodes and apply this filter in the query for the form. So the query is dynamically composed - depending on the person, his/her role and the rights assigned to this role with respect to a certain portion of the data.

Do you think this is a good approach or is there any better way?

Thank you,

JJJ

That's exactly what the structr folks have already implemented in their framework. See

structr.com

They also have a bunch of articles and blog post there and on neo4j.com how they implemented it. If you google for structr neo4j you should find it.

1 Like