Both of the methods are the same only you use controller. On 10/17/2008, Mathew <[EMAIL PROTECTED]> wrote: > > This is a security issue, and not an identity authentication issue. > > The Auth component is designed to make it easy to confirm someone's > identity, but not to manage security or permissions for a website. You > could use ACL or do it yourself. > > Anytime a user does something that requires a level of security you > should always perform a security check to see if that user has > permissions, and not rely on session data or cookies to cache those > permission rights. > > Deleting a user from the Auth database is nothing more then erasing > all history of that user's identity and every association will be > broken. If they created documents, comments, or tasks that are linked. > How will you know that user "xxx" was deleted? > > I would recommend adding a field to your user table called "role", and > changing that role field to "disabled". Every action a user can > perform should be verified that their role hasn't changed. > > In your AppController in the beforeFilter method you should do the > following. > > $this->Auth->authorize = 'controller' > > This will tell the Auth component to call isAuthorized for every > request to see if the user can perform the current action in a > controller. > > It's in this method that you should look up the current user's role > from the database, and make sure it's not equal to "disabled". If it > is then you should perform a redirect to a message page explain their > access has been restricted, and include information about why and who > they should contact. > > For example, in my controller only users with the role of > administrator can access admin pages. > > /** > * Called by the Auth component to check if the user has access to > the > * current action. > */ > function isAuthorized() > { > // Check if the params contains the key admin > if (isset($this->params[Configure::read('Routing.admin')])) > { > if ($this->Auth->user('role') !== 'admin') > { > return false; > } > } > return true; > } > > Now, my method uses the session information to validate the role. > Which is fine for my website, but if you want real time status you can > perform a simple find on the User table yourself. > > >
-- Xavier A. Mathews Student/Developer/Web-Master GG Client Based Tech Support Specialist Hazel Crest Illinois [EMAIL PROTECTED] "Fear of a name, only increases fear of the thing itself." --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---