I am building a Symfony2 application with access controls using custom voters (instead of the built-in generic ACL system). Checking a permission usually looks like this:
$this->isGranted('EDIT', $someObject);
Which tells me if the current user can edit that object. But how should I handle checking permissions to create new objects?
Suppose a cassical blog-like system. I have categories, which have posts, which have comments. I can check the VIEW, EDIT and DELETE permissions by passing in the actual object, but how would I check if a user is allowed to create a new comment, post or category?
I suppose for commenting I could check a CREATE_COMMENT permission against the blog post. And for posting new blog posts I could check CREATE_POST against the category. But there's nothing above the category, so how/what would I check for creating new categories?
Or, instead of checking CREATE rights against parent objects, should I check them against the type of object? E.g:
$isGranted('CREATE', 'My\Bundle\Entity\Comment');
That looks OK but it doesn't take into account the post that the user wants to comment on.
There are tons of ACL systems in as many frameworks and languages. How are object creation permissions usually handled?
