On Dec 31 2006, 1:30 pm, Langdon Stevenson <[EMAIL PROTECTED]>
wrote:
<snip>
Langdon
Oh the joy, my message went missing - sorry for the pseudo-duplicate if
it turns up.
I had a thought regarding the originally posed problem, so thought I
would reply.
ACL doesn't lend itself very well to limiting multiple result sets. but
then it isn't really designed to. Generally speaking I see 2 means of
limiting access:
1) adding a field to the relavent table (access_level = 1,2,3) and
adding a condition such that only data meeting the condition is
returned (access_level <= $userAccessLevel). Obviously this doesn't use
ACL at all, but then ACL isn't always the right solution.
2) Using ACL and cheating.
What do I mean?
Consider wanting to find all albums that Bob can access.
First see if Bob has access to Albums in general, by checking if he has
access to the ACO parent for all albums ( $this->checkAcl
(Bob,Albums,'*'); )
Given that, unless there is a rule denying access to Bob (or one of
Bobs parents) to an album, he has access.
The below pseudo code isn't complete, I realised whilst writing it that
if one of Bobs parents is denied access but Bob himself (or an
intermediary parent) is granted access, Bob would still get denied.
However I include the code for comments...
function index() {
$Constraint = $this->_getSubQuery();
$data = $this->Album->findAll($Constraint,NULL,$order, $limit,
$page);
$this->set('data',$data);
$this->render('index');
}
function _getSubQuery() {
$user = $this->Session->read('User.username');
$aro = $this->Aro->findByAlias ($user);
$aroLft = $aro['lft'];
$aroRght = $aro['rght'];
$SubSQL[] = "NOT EXISTS (
SELECT
Album.id
FROM
`Albums`as Album,
`acos`,
`aros_acos`,
`aros`
WHERE
`acos`.`alias` = CONCAT('Album:', `Album`.`id`) /* Will bomb out if
there is no specific ACO for that album */
AND
`aros_acos`.`aco_id` = `acos`.`id` /* Will bomb out if there is no
specific rule for this album */
AND
`ArosAco`.`_read` < 1, /* Only succeed for deny rules */
AND
`aros_acos`.`aro_id` = `aros`.`id` /* Ties the results to the found
aro/user/group */
AND
`aros`.`lft` <= $aroLft /* Ties the results to Bob or his parents */
AND
`aros`.`rght` >= $aroRght /* Ties the results to Bob or his parents */
ORDER BY
`aros`.`lft` DESC, /* Find the rule for Bob First, his lft field is
higher than all his parents */
`acos`.`lft` DESC /* Find the rule for The album First, it's lft field
is higher than all it's parents */
)";
return $SubSQL;
}
So, anyone willing to pickup the baton and comment on whether this
could work? Be made better-er, or differently?
HTH,
AD7six
Please note:
The manual/bakery is a good place to start any quest for info.
The cake search (at the time of writing) erroneously reports less/no
results for the google group.
The wiki may contain incorrect info - read at your own risk (it's
mainly user submitted) :) You may get your answer quicker by asking on
the IRC Channel (you can access it with just a browser
here:http://irc.cakephp.org).
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
