In general, a role is (related to) a job or a task a person performs. You are an Administrator, a Moderator, a Teacher, a Student, a Paymaster, a Financial controller, a Machine Operator, etc.
A group is an arbitrary collection of users. Users, Guests, Banned users, members of project X, People that work on Thursday, Students of class 1B6, etc.
So yes, I could live with your definition of groups and roles.
Since most people don't have applications that have the need for multiple groups, it currently isn't implemented in Auth. A group may have some permissions (you may want a revoke-all on banned users for example), permissions are normally assigned to roles.
As to permissions, a permission is a combination of a permission, an area, and actions.
Both area and permission are just strings, so you can pick any system you want. Some use controller and action, some use a more functional approach (like invoices and details) which could span multiple controllers or actions.
Then with the actions you can define more fine-grained access control. You can for example define that "invoice.details" has as possible actions: "view", "print", "email", "change", "pay", "create" and "delete". This is stored as a serialized indexed array.
When you assign the permission, you can assign a selection of these possible actions. So you can say a role has this permission, and only the actions "print" and "email". This is stored as a serialized array too, this time with the index values. So in this example array(1,2).
"Since most people don't have applications that have the need for multiple groups, it currently isn't implemented in Auth."
Can you clarify that? There is a section in the simpleauth.php that has groups that lists such as you just listed above, Users, Guests, Banned users, etc..
The best thing you can do is to go through the code for the different Auth models, so you'll know which relations are available, and of which type they are.
Donate
