Custom RBAC with subgroups


I have been trying to implement a custom role based access control, with no success so far.

The situation:

  • I have users

  • I have groups

  • Users are assigned to groups with many_many relation (one user can belong to several groups and one group can have several users)

  • The users can swithc between their groups, but the currently selected group is known

  • I have some predefined operation (createTopic, readTopic, addUser, etc)

The problem:

I would like to assign some operations to users only for a specific group. So for example assign the ‘createTopic’ operation to user #1 in group A. The user should be able to create topics in group A, but not in any other groups.

To complicate things, some operations are not group specific, so if a user is assigned to the ‘accessForum’ operation, they should be able to access the forum regardless the currently selected group.

Currently I use the "Rights" module, but it seems it is not suitable for this problem.

I have even tried with just the CDbAuthManager, but the AuthAssignment database table has the ‘itemname’ and ‘userid’ fields as composite primary key. Since in my situation a user may have the same auth item assigned multiple times (just for different groups, eg createTopic for group A and group C), i think it is inevitable to somehow extend the CDbAuthManager or implement the IAuthManager.

But I am totally clueless.

I was thinking about creating a table with fields "userid, groupid, authitemid", and manage the group assignments there. Then in the auth item business rules check if the current user has any records in this group assignments table. But I am not sure this is the simplest and cleanest solution.

Has anyone met with this problem so far? Does anyone have any ideas how should I solve this task? I appreciate any relevant hints, forum topics, stackoverflow Q/A-s, etc.