Access Control lists implementation

suepahfly

I'm working on a access control manager for a project and was wandering if i'm taking the right approach.

My database looks like this
http://tmp.street-maniacs.nl/database.png[/img]

As you can see users are placed in groups, the rights are enforced on the groups. Its not possible to enforce rights on users.

The ARO Tree looks af follows

ARO
|
|-AXO1
|      |-ACO1
|      |-ACO2
|-AXO2
|      |-ACO1
|      |-ACO2
[/]

In this case the groups are ARO's. 

The ACL is stored in a in a session:
[code=php]
$_SESSION['user']['acl'] = 
array(
           'createNew' = array('newsArticle', 'user','contentPage','ect...'),
           'edit' =  array('newsArticle', 'user','contentPage','ect...'),
           'delete' =  array('newsArticle', 'user','contentPage','ect...'),
           'meerActions' = array('meerControlObjects');
)
[/]

Code to check the tree looks like this (pseudo code)
[code=php]
/* 
 * @function    aclCheck
 * @description    Check if a ARO can perform a AXO on a ACO, returns true if aXO is allowed, flase if otherwise
 * @param    string    Action name
 * @param    string    Access Control Object name
 * @param    int         USerID optional
 * @return     bool
**/
function aclCheck($axo, $aco, $userID = $_SESSION['user']['userId'])
{
    if($userID != $_SESSOIN['user']['userId'])
    {
        /* code to rebuild the AROtree for the userId */
    }

   /*Check for ACL */
   if(!is_array($_SESSION['user']['acl']))
    {
        /* No ACL for this user */
        return false;
    }

if(!array_key_exists($axo, $_SESSION['user']['acl'])
{
    /* No AXO's defined for this ARO */
    return false;
}

/* Is ACO defined within this AXO? */
if(in_array($aco, $_SESSION['user']['acl'][$axo]))
{
    return true;
}
return false;
}
[/]

ARO, Access Request Object. A boject that request to perorm a AXO on ACO
ACO, Access Controll object, A ACO is performed on a ACO
AXO, Access eXtention Object, The action that is performed

The question tha is asked:
Can ARO perform AXO on ACO
or 
Can John perform Edit on Article

- John is a ARO (access Request Object), he requests access to edit an article
- article is a ACO (Access Control Object), John want to edit Aritcle
- edit is a AXO (Access Extension Object or action) John wants to Edit the article

suepahfly

Kick*

Since it's the first time i'm building such a thing it would be nice to get some advice

LoganK

Sorry, but I really don't understand what you're talking about (plus your PHP tags are unclosed - it's "[/ PHP]" (remove space), not "[/]"). Can you explain it in more detail, or perhaps give us a SQL dump (I'm sorry, but I don't understand that image at all. Is it UML?)?