On Dec 31 2006, 1:30 pm, Langdon Stevenson <[EMAIL PROTECTED]> wrote: <snip>
Langdon
Oh the joy, my message went missing - sorry for the pseudo-duplicate if it turns up. I had a thought regarding the originally posed problem, so thought I would reply. ACL doesn't lend itself very well to limiting multiple result sets. but then it isn't really designed to. Generally speaking I see 2 means of limiting access: 1) adding a field to the relavent table (access_level = 1,2,3) and adding a condition such that only data meeting the condition is returned (access_level <= $userAccessLevel). Obviously this doesn't use ACL at all, but then ACL isn't always the right solution. 2) Using ACL and cheating. What do I mean? Consider wanting to find all albums that Bob can access. First see if Bob has access to Albums in general, by checking if he has access to the ACO parent for all albums ( $this->checkAcl (Bob,Albums,'*'); ) Given that, unless there is a rule denying access to Bob (or one of Bobs parents) to an album, he has access. The below pseudo code isn't complete, I realised whilst writing it that if one of Bobs parents is denied access but Bob himself (or an intermediary parent) is granted access, Bob would still get denied. However I include the code for comments... function index() { $Constraint = $this->_getSubQuery(); $data = $this->Album->findAll($Constraint,NULL,$order, $limit, $page); $this->set('data',$data); $this->render('index'); } function _getSubQuery() { $user = $this->Session->read('User.username'); $aro = $this->Aro->findByAlias ($user); $aroLft = $aro['lft']; $aroRght = $aro['rght']; $SubSQL[] = "NOT EXISTS ( SELECT Album.id FROM `Albums`as Album, `acos`, `aros_acos`, `aros` WHERE `acos`.`alias` = CONCAT('Album:', `Album`.`id`) /* Will bomb out if there is no specific ACO for that album */ AND `aros_acos`.`aco_id` = `acos`.`id` /* Will bomb out if there is no specific rule for this album */ AND `ArosAco`.`_read` < 1, /* Only succeed for deny rules */ AND `aros_acos`.`aro_id` = `aros`.`id` /* Ties the results to the found aro/user/group */ AND `aros`.`lft` <= $aroLft /* Ties the results to Bob or his parents */ AND `aros`.`rght` >= $aroRght /* Ties the results to Bob or his parents */ ORDER BY `aros`.`lft` DESC, /* Find the rule for Bob First, his lft field is higher than all his parents */ `acos`.`lft` DESC /* Find the rule for The album First, it's lft field is higher than all it's parents */ )"; return $SubSQL; } So, anyone willing to pickup the baton and comment on whether this could work? Be made better-er, or differently? HTH, AD7six Please note: The manual/bakery is a good place to start any quest for info. The cake search (at the time of writing) erroneously reports less/no results for the google group. The wiki may contain incorrect info - read at your own risk (it's mainly user submitted) :) You may get your answer quicker by asking on the IRC Channel (you can access it with just a browser here:http://irc.cakephp.org). --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---