Recently, I stumbled upon an article about ACL in the Zend framework, written by Jani Hartikainen. While reading it, I realized that probably many people struggle with CakePHP’s ACL because of the naming.
The main classes of CakePHP’s ACL implementation are named ACO and ARO, which are acronyms for the technical terms “access control object” and “access request object”. An access control object is something that gets accessed, whereas an access request object is something that wants to access an access control object.
As those acronyms are probably not that familiar to most (I heard them for the first time with the introduction of the ACL feature), you always have to perform translations when you read/hear “ACO” or “ARO”:
ACO => Access Control Object => term you are familiar with ARO => Access Request Object => term you are familiar with
After a while you (resp. your brain) will make those translations automatically. However, at the beginning, when you try to grasp CakePHP’s ACL implementation, those translation automatisms are not there yet, which makes the understanding more difficult…
Now compare this with the names used in the Zend framework: Zend_Acl_Resource (= ACO) and Zend_Acl_Role (= ARO). At least to me those names sound quite familiar. They are very similar to the terms I would use in a discussion about authorization. And because of this familiarity, the aforementioned translation process can be omitted.
And so I think it would also make sense for CakePHP to use terms like “resource” and “role” instead of ACO and ARO to make it easier for those who want to learn how the ACL feature works.