I have created a simple tree hierarchy as you can see in the attached image for the Role Based Access Control.
2186
So let’s try an example:
There is a user who has the role of "administrator"
So if we check access for operations: "excel" and "administration" we get TRUE
Also we notice this user has a child role named "super_user".
So if we check access for operation: "calc_stats" then we also get TRUE
All good so far
Now since super_user has a child role named manager we would like to
get TRUE if we check access for operation: "read_island" or "update_island", etc.
BUT when we check access for "read_island" or "update_island", etc. we get an exception!
The BIZRULE of "island_manager" role is executed !!
Why?
Because inside protected method checkAccessRecursive the implementation goes from bottom to top
an SQL query select parent from AuthItemChild
WHERE child = ‘…’; is executed
So this implementation starting from read_island operation goes to "manager" role who has as its parent
and then the recursive execution continues to both parents, "super_user" AND!! "island_manager"
Is this what we really want?!
I think maybe an implementation starting from the role "administrator" and going downwards to find the "read_island" operation would be more suitable. Although I am a rookie in RBAC. Please tell me if I am missing something. Thank you!