I am building an ACL plugin to my framework / application.
The previous ACL applications i have worked with has a controller / action verification meaning that it checks if the user has access to both the controller and the view.
Now in many applications a user can have access to both the controller and the view but still not have acess to the content.
Forexample:
user1 has access to the controller: games and the view: play but not have access to the id: 1
My first idea was to check the $_GET variable but this is not sufficient since it is impossible to know what the variable that the content is looking for.
So my question is how would you verify that the user has access to the content of the view?
Well, you do know the id of the content in your Controller and you do know the user trying to access it. Just add contentId to your ACL check routine? You just have to add more ACL data, current implementation with just controller and method isn't enough in these cases.
e.g. $acl->userIsAllowedTo('view', 1, 'gamescontroller') or so.