Thanks for your opinion, cricket.
I just really like my approach because everything that has to do with
permissions is handled at one single point. I'm only working on a
small company-internal application, so I prefer handiness over
performance stuff. I haven't too much experience with my solution yet,
but I expect it to be very useful.
On Thu, Nov 18, 2010 at 7:07 PM, cricket <zijn.digi...@gmail.com> wrote:
> On Thu, Nov 18, 2010 at 11:15 AM, Joshua Muheim <psybea...@gmail.com> wrote:
>> Yes you're right, jeremy, I made this example up (my real User model
>> doesn't have an Address, I just added this to show that there are
>> cases where there's more than one key that isn't another array
>> itself).
>>
>> The reason why I'd like to know this is the following.
>>
>> I have implemented a simple ACL component that delivers an ActiveUser
>> object to the views which can be asked for permissions for certain
>> things:
>>
>> // In the view...
>> <li><?php if($usr->allowed('Users', 'edit')) echo
>> $this->Html->link(__('Edit User', true), array('action' => 'edit',
>> $post['User']['id'])); ?> </li>
>>
>> This works great so far, but it only works on the controller/action level.
>>
>> Every user is in a group which provides an ACL access string like
>> "!*:*,*:index,*:view" for guests or "!*:*,Users:*" for users editors
>> or "*:*" for administrators. So with the functionality above, only
>> administrators can edit users. But I'd also like my users to be able
>> to edit their own user data.
>>
>> So I thought of an extended $usr->allowed(...) version which also
>> accepts a model instance like the following:
>>
>> $usr->allowed('edit', $userInstance) // $userInstance is not the data
>> array, but a real "new User()" instance
>
> That looks like an awfully expensive way to do things. Why don't you
> just check with the session that this is the same User?
>
>
>> Then in the User::allowed(...) method I can ask the model instance
>> itself whether it wants to allow something or not:
>>
>> function allowed
>> if(last param is model object)
>> return modelObject->allows($action, $this->id)
>> else
>> do normal ACL string stuff...
>> }
>>
>> So I can implement an allows(...) method in every model I'd like to
>> have authorisation functionality on a model instance level:
>>
>> // In the model...
>> function allows($action, $userId)
>> return $this->user_id == $userId // If the user is the same like the
>> one who owns the record, then let him edit it!
>
> view:
>
> if (if ($data['User']['id'] == $this->Session->read('Auth.User.id'))
> {
> echo $this->Html->link(
> 'Profile',
> array('admin' => 0, 'controller' => 'users', 'action' =>
> 'edit'), //
> no ID passed!
> array('title' => 'Edit your profile')
> );
> }
>
> controller (edit method not allowed by Auth):
>
> function edit()
> {
> if (!empty($this->data))
> {
> // User.id isn't even in the edit form
> $this->data['User']['id'] = $this->Auth->user('id');
>
> // validate & save
> }
> else
> {
> $this->data = $this->User->read(null, $this->Auth->user('id'));
> }
> }
>
> or:
>
> function edit()
> {
> if (!empty($this->data))
> {
> if ($this->data['User']['id'] == $this->Auth->user('id'))
> {
> // ...
> }
> else
> {
> // Somebody's been fiddling with hidden form inputs.
> Prepare a scolding.
> }
> }
> else
> {
> $this->data = $this->User->read(null, $this->Auth->user('id'));
> }
> }
>
> Done.
>
>> This works great so far, too. But because CakePHP doesn't deliver
>> views with real model instances but only data arrays, I'd like to be
>> able to pass them to the allowed(...) method, too. There I only have
>> to re-create the model instance, so I can ask it for allowance. And
>> here's the problem: it seems there can't be known what model a data
>> array originated from... Or can there? :-)
>
> Not that I want to encourage you to pursue this but, AFAIK, the first
> model in $data is the primary one.
>
> Check out the new CakePHP Questions site http://cakeqs.org and help others
> with their CakePHP related questions.
>
> You received this message because you are subscribed to the Google Groups
> "CakePHP" group.
> To post to this group, send email to cake-php@googlegroups.com
> To unsubscribe from this group, send email to
> cake-php+unsubscr...@googlegroups.com For more options, visit this group at
> http://groups.google.com/group/cake-php?hl=en
>
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
