Hi
I thought that I would share something that I have just developed with
the list.
My ACL implementation does a good job of limiting access to controllers
and their actions. Cake's ACL is great for checking if: "Mr User" (an
ARO) is allowed to access "Mr Object" (an ACO).
However the standard ACL system does not give you a simple way to
generate a list of ACO's that "Mr User" is allowed to access.
Therefore if you want to prevent a user from accessing data that they
are not allowed to you have to build some sort of security into your
controllers that works out how to limit who can request what. You could
also use an afterFind callback to check the access rights on each row
returned by a query. This would slow your system to a halt in no time
with large queries.
I wanted to make the most of Cake's ACL system, so I poked around in the
API and got an understanding for how it all works. From there I wrote a
function that retrieves a list of ACOs that the current user is allowed
to access.
My solution:
- I created a set of ACO's that represent each client, and their various
departments
- Each data record is tagged with the department that the creator
belongs to when they are created (assigning an "owner" to the data)
- When a user requests a data record a list of ACOs that they are
allowed to access is generated
- Find queries have an extra WHERE clause added to them like this that
checks if the owner of the data is in the list of owners that the user
is associated with:
AND `Master`.`owner` IN ('client_dept_1:data', 'client_dept_2:data')
As a result, only records that the user is allowed to access are
returned to them.
I am quite pleased with this result as it represents only a small
increase in overhead to the "find" queries, and it allows me to make
full use of the (quite awesome) power of ACL.
I will look at caching the ACO list of the user some time soon to help
reduce the number of queries required for each request. Once that is
done this system should have negligible impact on the performance of the
system, but give me complete control over who can see what.
I hope this may be useful to someone. If so, and you would like to know
more about generating a list of ACOs for individual AROs, then let me
know. I would be happy to share.
Regards and a happy New Year to everyone,
Langdon
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
