currently I'm trying to understand how to use the provided ACL package in acegi.
What would be the best way to filter on domain objects? Think about a query where I want to get a list of all customers who the user is allowed to edit.
That might be 2 out of 500.
If I understand the acegi approach correctly, I wouldn't care about the security in my business logic so I would simply do a
which would return all customers in the case acegi wouldn't intercept.
But I can't see how to accomplish that with acegi. I can't load 500 customers and traverse them to see if the user is allowed to edit them.
I think the only efficient way is to mix business and security logic in the DB query so that only the 2 customers are returned.
Mhm, but I'm not sure if I really grasp the concepts behind acegi and ACL. So is there are cleaner way than mixing security and business?