Both of the methods are the same only you use controller.
On 10/17/2008, Mathew <[EMAIL PROTECTED]> wrote:
>
> This is a security issue, and not an identity authentication issue.
>
> The Auth component is designed to make it easy to confirm someone's
> identity, but not to manage security or permissions for a website. You
> could use ACL or do it yourself.
>
> Anytime a user does something that requires a level of security you
> should always perform a security check to see if that user has
> permissions, and not rely on session data or cookies to cache those
> permission rights.
>
> Deleting a user from the Auth database is nothing more then erasing
> all history of that user's identity and every association will be
> broken. If they created documents, comments, or tasks that are linked.
> How will you know that user "xxx" was deleted?
>
> I would recommend adding a field to your user table called "role", and
> changing that role field to "disabled". Every action a user can
> perform should be verified that their role hasn't changed.
>
> In your AppController in the beforeFilter method you should do the
> following.
>
> $this->Auth->authorize = 'controller'
>
> This will tell the Auth component to call isAuthorized for every
> request to see if the user can perform the current action in a
> controller.
>
> It's in this method that you should look up the current user's role
> from the database, and make sure it's not equal to "disabled". If it
> is then you should perform a redirect to a message page explain their
> access has been restricted, and include information about why and who
> they should contact.
>
> For example, in my controller only users with the role of
> administrator can access admin pages.
>
> /**
> * Called by the Auth component to check if the user has access to
> the
> * current action.
> */
> function isAuthorized()
> {
> // Check if the params contains the key admin
> if (isset($this->params[Configure::read('Routing.admin')]))
> {
> if ($this->Auth->user('role') !== 'admin')
> {
> return false;
> }
> }
> return true;
> }
>
> Now, my method uses the session information to validate the role.
> Which is fine for my website, but if you want real time status you can
> perform a simple find on the User table yourself.
> >
>
--
Xavier A. Mathews
Student/Developer/Web-Master
GG Client Based Tech Support Specialist
Hazel Crest Illinois
[EMAIL PROTECTED]
"Fear of a name, only increases fear of the thing itself."
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
