What is a good way to have fine grained authorization?
Assume a voting system: users may or may not be authorized to vote, so the action “vote” needs authorization. But this coarse grained authorization is not sufficient: based on the poll there is a deadline until when they may vote for this poll. So besides an ACL for the action I need something else to restrict access to the vote action for some polls and to hide a “Vote” button in a view.
Right now I’m using DbAcl for authorization of actions based on the user role, and some hand written code in the views and the controllers. But I don’t like the duplication of the code: when I add a new role with more or less restrictions I have to make sure to change code in several places.
Anyone has some ideas how to do better?
Please mind that my poll example is just an example, real world is a bit more complicated. E.g., authorization may also depend on the content of a record (in my poll example a user may change his vote but only his vote, while being allowed to view other votes but not change them).
A website which may explain the matter in a better way:
Christoph