[nycphp-talk] phpGACL access control

Keith Casey mailinglists at
Fri Aug 24 19:02:39 EDT 2007

On 8/24/07, Mitch Pirtle <mitch.pirtle at> wrote:
> phpGACL was what was originally intended to be implemented, however
> there were some challenges behind making that possible. Andrew Eddie
> is behind the current ACL work, so he's most definitely the best
> resource to ask that question to.

dotProject has been using phpGACL for about 2.5 years or so.  When we
implemented it, we found that some of it was nasty due to the level of
granularity that we needed so we wrote a wrapper around it to hide
most of it from the core of the code.

Lately we've been adding helper methods to the various core classes to
further abstract this and simplify the overall API.  I think it's
worked out pretty well and has hidden all the complexity while still
allowing admins to define very specific permissions while respecting
parent/child relationships.  For example, knowing that someone has
permissions to see a specific Project doesn't imply anything about the
attached tasks.

> As for phpGACL, the feedback I got was that most ACLs out there are
> good at answering one question, from the following list:
> 1) "Can I access this object?"
> 2) "Who can access this object?"

For the most part, we ignore the 2nd question but also ask the
opposite of the first - "Am I denied access to this object?"

If you check out dotProject, the core of the implementation is in


D. Keith Casey Jr.
CEO, CaseySoftware, LLC

More information about the talk mailing list