I just wanted to tell you guys, in case anyone is in the same
situation, that I've implemented this approach. It's not that much work as I
thought, and it works like a charm. I'm using now two ACEs for each object
and SID, and two ACEs for each field of the object and SID. One ACE for
ALLOW
I think even if it is a bit more work when changing permissions, you should
definitely look into cumulative permissions since this will increase the
performance of your application. It should be sufficient to have one ACE
with all granting, and one ACE with all denying permissions for each
MySQL logs show:
2940 Query START TRANSACTION
2940 Query UPDATE acl_entries SET ace_order = 4 WHERE id = 464
2940 Query UPDATE acl_entries SET ace_order = 3 WHERE id = 465
2940 Query UPDATE acl_entries SET ace_order = 3 WHERE id = 466
2940 Query UPDATE acl_entries SET ace_order = 1 WHERE id = 479
Of course. I'll try to reproduce the issue in a test. In the meantime I want
to clarify that I don't use cumulative permissions, because I need to
configure for each permission if it's an ALLOW or DENY entry, and it's
easier this way. Taking this fact into account, If I could update the
granting