Em Tuesday 10 June 2008 04:29:47 Cecil Westerhof escreveu: > That will only work when every user is in a group. > I think that there is a way to get the group(s) of an user. When the > only requirement is that the person is part of a group, you could > check that it is not empty.
Either that or instead of checking for groups check for a specific permission (kind of "ibelongtoagroup" permission) and use that on all groups. You can even hide this permission from the interface and add it automatically to all groups. All places where I check for identity stuff I check for permissions, this way I can have fine grained control and I can group the same permission in different groups assigned to different users. All what I do, from an identity point of view, is requiring certain permissions, adding those with a nice description to the permissions table and then I let my client decide who will do what. For his clients we made two extra interfaces: one where he says which groups will be available for them and another that filters user-group associations to show just that groups and to let them associate permissions to their own users (i.e. I have an internal admin that does that and each external company has their own admin that can decide what their users can do). It isn't as complex as it seems and can be implemented quickly. But I suggest only checking for permissions, never for users or groups. (I also use not anonymous checks). Regards, -- Jorge Godoy <[EMAIL PROTECTED]>
signature.asc
Description: This is a digitally signed message part.
