Re: ACL: ACOs inherit permission settings backwards?

Tue, 08 Apr 2008 05:12:55 -0700 

SELECT `Aro`.`id`, `Aro`.`parent_id`, `Aro`.`model`,  
`Aro`.`foreign_key`, `Aro`.`alias` FROM `aros` AS `Aro` LEFT JOIN  
`aros` AS `Aro0` ON (`Aro`.`lft` <= `Aro0`.`lft` AND `Aro`.`rght` >=  
`Aro0`.`rght`) WHERE `Aro0`.`model` = 'User' AND `Aro0`.`foreign_key`  
= 3 ORDER BY `Aro`.`lft` DESC

SELECT `Aco`.`id`, `Aco`.`parent_id`, `Aco`.`model`,  
`Aco`.`foreign_key`, `Aco`.`alias` FROM `acos` AS `Aco` LEFT JOIN  
`acos` AS `Aco0` ON (`Aco0`.`alias` = 'Users') LEFT JOIN `acos` AS  
`Aco1` ON (`Aco1`.`lft` > `Aco0`.`lft` AND `Aco1`.`rght` <  
`Aco0`.`rght` AND `Aco1`.`alias` = 'index') WHERE ((`Aco`.`lft` <=  
`Aco0`.`lft` AND `Aco`.`rght` >= `Aco0`.`rght`) OR (`Aco`.`lft` <=  
`Aco1`.`lft` AND `Aco`.`rght` >= `Aco1`.`rght`)) ORDER BY `Aco`.`lft`  
DESC

SELECT `Permission`.`id`, `Permission`.`aro_id`,  
`Permission`.`aco_id`, `Permission`.`_create`, `Permission`.`_read`,  
`Permission`.`_update`, `Permission`.`_delete`, `Aro`.`id`,  
`Aro`.`parent_id`, `Aro`.`model`, `Aro`.`foreign_key`, `Aro`.`alias`,  
`Aro`.`lft`, `Aro`.`rght`, `Aco`.`id`, `Aco`.`parent_id`,  
`Aco`.`model`, `Aco`.`foreign_key`, `Aco`.`alias`, `Aco`.`lft`,  
`Aco`.`rght` FROM `aros_acos` AS `Permission` LEFT JOIN `aros` AS  
`Aro` ON (`Permission`.`aro_id` = `Aro`.`id`) LEFT JOIN `acos` AS  
`Aco` ON (`Permission`.`aco_id` = `Aco`.`id`) WHERE  
`Permission`.`aro_id` = 6 AND `Permission`.`aco_id` IN (4, 3, 2)


The result of that last call even looks pretty good to me:

+----+--------+--------+---------+-------+---------+---------+------ 
+-----------+-------+-------------+--------+------+------+------ 
+-----------+-------+-------------+-------+------+------+
| id | aro_id | aco_id | _create | _read | _update | _delete | id   |  
parent_id | model | foreign_key | alias  | lft  | rght | id   |  
parent_id | model | foreign_key | alias | lft  | rght |
+----+--------+--------+---------+-------+---------+---------+------ 
+-----------+-------+-------------+--------+------+------+------ 
+-----------+-------+-------------+-------+------+------+
|  1 |      6 |      3 | 1       | 1     | 1       | 1       |    6  
|      NULL | User  |           3 | deceze |   11 |   12 |    3  
|         2 | NULL  |        NULL | Users |    2 |   13 |
|  3 |      6 |      4 | -1      | -1    | -1      | -1      |    6  
|      NULL | User  |           3 | deceze |   11 |   12 |    4  
|         3 | NULL  |        NULL | index |    3 |    4 |
+----+--------+--------+---------+-------+---------+---------+------ 
+-----------+-------+-------------+--------+------+------+------ 
+-----------+-------+-------------+-------+------+------+
2 rows in set (0.00 sec)


And just for completeness:

$ cake acl view aco

---------------------------------------------------------------
Aco tree:
---------------------------------------------------------------
   [2]ROOT

     [3]Users

       [4]index

       [5]edit

       [6]register

       [7]profile

       [8]delete



But:

$cake acl check deceze Users/index all
deceze is allowed.


On 8 Apr 2008, at 20:49, Dardo Sordi Bogado wrote:
>
> Can you post the SQL generated?
>
> On Tue, Apr 8, 2008 at 8:47 AM, David Christopher Zentgraf
> <[EMAIL PROTECTED]> wrote:
>>
>> Those URLs are not loading for me right now,
>> but I'm experiencing this on a Nightly from April 5th (I think).
>>
>> cake/libs/controller/components/acl.php:
>> /* SVN FILE: $Id: acl.php 6491 2008-03-01 03:12:12Z nate $ */
>> ...
>>
>>
>>
>> On 8 Apr 2008, at 20:17, Dardo Sordi Bogado wrote:
>>>
>>> Bug #3851,
>>>
>>> https://trac.cakephp.org/ticket/3851
>>> https://trac.cakephp.org/changeset/6342
>>>
>>> It's fixed in current versions.
>>>
>>> On Tue, Apr 8, 2008 at 6:01 AM, David Christopher Zentgraf
>>> <[EMAIL PROTECTED]> wrote:
>>>>
>>>> Hi,
>>>>
>>>> Am I getting this right? With the ACL component, AROs inherit their
>>>> permissions like this:
>>>>
>>>> Group [denied something]
>>>> |- User [allowed something]
>>>>
>>>> In this case, the explicitly granted permission on the User  
>>>> overrides
>>>> the general Group setting, allowing the User something  
>>>> specifically.
>>>> With ACOs the opposite seems to be the case:
>>>>
>>>> Controller [allowing user]
>>>> |- Action [denying user]
>>>>
>>>> In this case, the general permission on the Controller seems to
>>>> override the explicitly forbidden Action.
>>>>
>>>> $ cake acl grant deceze Users all
>>>> $ cake acl deny deceze Users/delete all
>>>>
>>>> $ cake acl check deceze Users/delete all
>>>> deceze is allowed.
>>>>
>>>> Is this by design or a bug?
>>>>
>>>> Chrs,
>>>> Dav
>>>>
>>>>>
>>>>
>>>
>>>>
>>
>>
>>>
>>
>
> >


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake 
PHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to