[Catalyst] "Dynamic" authorization

[Gunnar Strand]

Hi,

Most of the authorization schemes appear to aim to allow authorization 
based on "type", so that a certain group of users are allowed to CRUD a 
specific type of resource, eg. Albums or Artists etc. If a user has 
access to "albums/update" then the user can change any album. I have 
looked at the two available plugins for authorization, ACL and Roles, 
and both seem to support this scheme.

I would like to have authorization per individual resource. A comparable 
example would be a member only being allowed to update her own member 
information. If I would implement something like this, I think I'd add a 
table to the database for handling authorization:

Role           Resource

administrators members
administrators blogs
user1          members/update/1
user2          members/update/15
user1          blogs/update/3
user2          blogs/update/13

The table would then be consulted whenever a resource is accessed, and 
the lookup would be put in a central place, if possible. I've 
implemented a ":Restricted" action which handles authentication, and 
that is where I would try to add the authorization as well. One of the 
tricky things would be to have a generic way to create the resource 
identifier from request input.

Does anyone know if this be implemented using ACL or Roles, and what are 
the principles for doing so?

If not, what is your experience in solving this problem?

KR,
Gunnar