The context is a educational administration system built on the Zend Framework. We are implementing a RESTful MVC to handle pretty much all data interactions with clients. Relationships between resources are mapped in the database with foreign keys etc.
Example case: a teacher creating a report on a specific student.
We currently have a role-based permissions system that can be tailored to the level of the individual role (using, eg, teacher_5 as the role name). Therefore we can easily restrict access to an already existing report (by generating permissions in the report model that allows edit/put permissions on the report only to the tutor role who created it, say). The problem comes on creation. In order to add a report a user can post to /reports, say, the following data:
{ achievement: "4", performance: "5", student_id: "10" }
The problem is that tutors are only allowed to create new reports on a certain subset of student_ids - those students that they are teaching.
One approach would be to treat this as a validation issue on that field. The issue with this is that we want to protect ourselves from making mistakes, and that is not easy to do with validation (the code would have to know in advance that special validation is expected on certain fields).
The other would be to somehow extend our permissions system to a completely granular one (i.e., there would be a permission for every field in every model), and then extend our current permissions system to responding to paramaterised permissions checks. So if we wanted to know if the current user has permissions to add student_id 10 to a report on creation, we would end up with something like
if ($acl->isAllowed($resource, $role, $action, $field, $value))
where $resource would be a report model, $role would be the teacher teacher_5, $action would be "post", $field would be student_id, and $value would be 10. The acl class would essentially handle a call to the $resource itself.
We are not sure which direction to take, but presumably this is a fairly common issue, so we are wondering what approach other people have taken.