Michael, Non-expert reply: After fiddling with ACL for a while I'll say, yes it can do all you want. The aco entries can represent anything you want them to, controllers, actions, individual db records, tabes, urls... Aros can likewise represent anything you choose, users, controllers, actions, ip adresses...
The permission table will hook up the allowable combinations. And since both aros and acos are in a tree structure you can set up any grouping or nesting that serves your needs. It is worth noting that there are two ways to identify an aro or aco node, by alias or by table and id. Ponder the value of these two ways of identifying a requestor or controlled item. As to the specifics of implementing your system... I can't be too specific because I'm stilling trying to sort this out. It seems you can always resort to a kind of brute force approach. At the critical point in your logic you test: does this aro have permission to access this aco? This is the area where I find the tutorials a bit vague. They assume that there is always going to be a standard pattern for testing. User to action or user to crud function on a table. Possibly because my thinking is too fuzzy to build my apps cleanly or possibly because this ideal situation is not realistic, I have found it a bit confusing decide what testing mode to use and where to have the checks made. You are probably going to need to build some before and after save code to make sure proper permissions are set up as things grow. A simple case from tutorials: when a user registers, the save code could make the new user aro record and an aco entry and give them permission to access their own db record. In your case, the work product of a company employee on a project might need to be listed as a child aco in a collection that was accessible to managers of that company. Regards, Don On May 28, 3:54 pm, mivogtGermanyLU <miv...@mivogt.net> wrote: > Hi there, > > after spending some hours of reading the chapert about acl/aro/acro in the > cake books and the cake homepage I am still or even more confused about the > topic. > I understood the meaning of a tree containing the rights but I am absolute > not sure about if it matches my needs or even on how to realize it in my > app. > > So any helping comment is welcome. Linked full tutorials would be great, > too. > > My app consists of a set of MVC stuff to register services grated by users > to be manged from users to be done by users for users with some hierachy in > background. > So there needs to be a superadmin to setup the users in all levels > I need granters to grant projects > I need some to set up the jobs getters and workers > etc > > and in the meaning of some safety the i.e. workers shokld not be able to > change or delete granted jobs etc > > so basically I need to limit the actions/views allowed to a specific logged > in users (after login using auth component) > secondly I need to limit the datasets shown to a user based on his role and > the linked models content > > i.e. > 2 company are granting services to be done for customers with no need to > know each other or the others customers > if a company grants a service for a customer a service-company is named to > fullfill it. So the C sets up the job to be done and the company to do the > job > The servicecompany will have staffs getting some kind of tickes with jobs to > be done and the staff will need to fill a timereport linked to a granted job > (containing the job_id dthe granterid, the service_id datwe,time etc) with > the limitation he wont be able to see jobs done for the customer by others > ... > > to me it looks a bit difficult to split it up into roles only > maybe I need some kind of data-limiting functions, too. Any chance to get it > done by the acl or will I need to add some conditions in my find() inside > the controllers? > > Thanks in advance > > Michael -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
