I have a very complex problem that hopefully someone other than myself has modeled before :) I am making a site to keep track of ordering information and customer information for my company as well as any number of resellers, locations, etc etc. So far I have built the site up to the point where all information is usable to everyone, so in other words, I am working on access control.
I have built an access system based off a product that I saw online, in its most basic form access permissions are handled like a normal application. Certain users are assigned permissions to access certain content. Pretty easy. But here is where it gets complicated, see, in this application, not all users should see all data. For instance, if we have a reseller login, we only want them to see accounts related to themselves, no others. So, if I give him Customer- Edit, Customer-Delete, etc, he can only edit and delete his own customers, NOT anyone elses. This is a pretty standard thing but I cant find ANY existing example or code to handle this. Except for the obvious, create special permissions for his reseller group, but that is not the way I want to do this. Instead I created two new tables, Sites and Organizations. A customer is assigned one or both, and only users assigned to the same site and organization can see the customer. (an organization is a collection of sites and indiv users, and a site is a collection of indiv users) I have worked it all the way up to filtering find results so far. I know I am looking at some sort of model afterFind behavior, but the implementation is what concerns me. See besides customers there are obviously other views, addresses, orders, circuits, etc. If a user wants to view a list of all addresses, only addresses of customers assigned to his site and organization should show up. However, I DO NOT want to include site_id and organization_id in all the other tables, only the customer table. So my question is, how would I design an afterFind filter that can take some results, figure out what site/organization the customer is assigned to and compare that site and organization to the user. And it has to be able to get to the customer model from any other model that is performing a search. That last part is what is really tripping me up. Without a given path to the customer table, how would I build the appropriate model's without going through and saying 'if model->name == 'circuit' then bindModel( orders->address->customer' etc etc Thank you very much for any pointers Red Comet Ps. about Cake's ACL stuff, I did a bit of searching before writing this and ACL looked like the way to go for a while but there are a few pitfalls that make it a little sketchy for me. For one, I have designed the permission system such that users can be assigned groups of permissions AND individual permissions. There are not really designated roles like has been suggested before. It seems to me, that if I wanted to do acls I would need to assign my users objects each time a new customer was added to their organization. Well, no, thats not right, but I would need to create new aro's for the customer and assign those to an organization for each customer. I think.. :/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---