Re: Record level ACL
to be honest i haven't used or updated this behavior is quite awhile.
i am not sure if those todo's are ever going to get done (at least by
me), since i've moved on and have become very busy at work.
as far as how a record owner sets permissions for others is exactly as
i pointed out. either you grant more broad permissions to other, or
else you manage non-owner's permissions via groups. meaning, you can
create a group that has more permissions for that particular record
and then add a user into it. the behavior doesn't know how to do
those things, since they are very application/situation specific.
that sort of thing is up to you, in how you implement your app. your
app would leverage the functionality that currently present,
specifically updating the record in question with a new set of bits
(that were calculated by the app) if you wanted to change the owner,
group or permission bits.
if you want to get a better understanding of how this works, find some
more in-depth information about how unix groups work. don't focus too
hard on the permission bits, but more on how the groups on unix work.
a person has a primary group, as well as secondary group memberships.
as permissions can be granted to a group on a record (or file/
directory, in unix), there are several ways to implement the type of
control set up you are describing. but the most important thing is to
understand that, so this behavior's capabilities (or limitations) make
more sense.
On Sep 28, 11:36 pm, sathyashrayan sathyashra...@gmail.com wrote:
On Sep 28, 8:20 pm, jmcneese jmcne...@gmail.com wrote:
hi there. it looks to me that you are not using the groups correctly,
which is how you restrict non-owner users from undesired actions. the
bits are just like unix permission bits, in that there is there is a
user and group id associated with the record, then bits assigned to
the owner, group and others (anyone who is not the owner or in the
group specified).
a practical example would be something like this:
you create a new record. that permission record gets automatically
created with an owner id matching the creating user's id, and a group
id matching the creating users *primary* group id. the permission
bits for this new record will either be the default bits defined in
the behavior configuration, or else whatever you specify in the data
to be saved.
let's say you have two groups, Editors and Authors. you would want
editors to have full read write access, as well as the creating
author, but everyone else can only view. that would mean you want to
have a permission bit of 500 (owner: read/write/delete, group: read/
write, others: read). the owner id is the author user's id who
created the record, and the group id is the editor group's id.
this would allow the original author to have full control, editors can
modify the record but not delete, and all other users can read the
record but not modify/delete.
does that make more sense?
Hi,
First of all my thanks to the wonderful behavior and reply. I
understood the bit masking part. If you see my previous posts i have
mentioned how the 9 bits works. I am clear about that. But where i
need help is when a record owner wants to assign permission to another
set of groups or users or a single group or user for CRUD on all his
inserted record (data) how can he do that? I am planning for an
interface where the record owner allows permission for his inserted
record to a selected group or users. More than that, you have
mentioned in your TODO list as
I intend on updating the plugin to have more options for
configuration, to whit: implementing some level of inheritable
permissions, introducing the concept of roles, supporting “trickle-
down” permission changes to models that actAs Tree, common UNIX-y
commands like chmod/chown/chgrp.
Please explain more on this points. Though I am a beginner in cakephp
(just 2 months) I could try those TODO for my knowledge gain.
On Sep 28, 5:41 am, sathyashrayan sathyashra...@gmail.com wrote:
On Sep 28, 12:25 pm, sathyashrayan sathyashra...@gmail.com wrote:
On Sep 28, 11:39 am, sathyashrayan sathyashra...@gmail.com wrote:
Ok I have made the RMAC work
(http://jmcneese.wordpress.com/2010/01/28/
rmac-is-dead-long-live-rmac/) I will tell what i have done.
1)Downloaded a fresh cakephp
2)created the users,groups tables
3)acos,aros,acos_aros (cake schema create DbAcl in command line)
4)Baked users and used Auth component to set up a login page
5)Placed the plugin in [path]/app/plugin/permissionable
6)Created the permission_bits table
7)Created a contacts table for a sample module
8)In the file [path]\app\plugins\permissionable\controllers\components
\permissionable.php I added
var $components = array('Session', 'Auth');
for calling
$users = $this-Auth-user();
Then assigned
Re: Record level ACL
hi there. it looks to me that you are not using the groups correctly,
which is how you restrict non-owner users from undesired actions. the
bits are just like unix permission bits, in that there is there is a
user and group id associated with the record, then bits assigned to
the owner, group and others (anyone who is not the owner or in the
group specified).
a practical example would be something like this:
you create a new record. that permission record gets automatically
created with an owner id matching the creating user's id, and a group
id matching the creating users *primary* group id. the permission
bits for this new record will either be the default bits defined in
the behavior configuration, or else whatever you specify in the data
to be saved.
let's say you have two groups, Editors and Authors. you would want
editors to have full read write access, as well as the creating
author, but everyone else can only view. that would mean you want to
have a permission bit of 500 (owner: read/write/delete, group: read/
write, others: read). the owner id is the author user's id who
created the record, and the group id is the editor group's id.
this would allow the original author to have full control, editors can
modify the record but not delete, and all other users can read the
record but not modify/delete.
does that make more sense?
On Sep 28, 5:41 am, sathyashrayan sathyashra...@gmail.com wrote:
On Sep 28, 12:25 pm, sathyashrayan sathyashra...@gmail.com wrote:
On Sep 28, 11:39 am, sathyashrayan sathyashra...@gmail.com wrote:
Ok I have made the RMAC work (http://jmcneese.wordpress.com/2010/01/28/
rmac-is-dead-long-live-rmac/) I will tell what i have done.
1)Downloaded a fresh cakephp
2)created the users,groups tables
3)acos,aros,acos_aros (cake schema create DbAcl in command line)
4)Baked users and used Auth component to set up a login page
5)Placed the plugin in [path]/app/plugin/permissionable
6)Created the permission_bits table
7)Created a contacts table for a sample module
8)In the file [path]\app\plugins\permissionable\controllers\components
\permissionable.php I added
var $components = array('Session', 'Auth');
for calling
$users = $this-Auth-user();
Then assigned userid and groupid in
$users = $this-Auth-user();
$userId = $users['User']['id'];
$groupId = $users['User']['id'];
Permissionable::setUserId($userId);
Permissionable::setGroupId($groupId);
Permissionable::setGroupIds(array($groupId));
9)Created some groups in tree (tree component) with hierarchy
10)Now each user logged in and creates a contact the
permission_bits table gets filled with model,and model Id and 416
(default bits) in perms..
11)If each user logs in and he can see only his records. He can edit
and view but he can not delete his own record. If an Admin logs in he
can do all the action(delete also) on all the record including his
record..
Now what i need is..
1)Record created user (owner) can also delete his record
Ok i have found out doing this point. Which is 480 in the prems coloum
of permission_bits table.
840 == (111) - (100) - (000). Add the line before calling save ($this-
Contact-save($this-data)) in the contact_controller..
$this-data['Permissionable'] = array('perms'=480);
2)Record created user (owner) can allow other group's user below his
level to do all the action (create/update/delete/view)
I can guess that this could be done in the Behavior (\app\plugins
\permissionable\models\behaviors\permissionable.php) with correct bit
set in the callback functions. But i dont know what is the bit mask
for that. If i am wrong then please correct me and guide me how to do
that.
ok I got a bit more closer in this. I have changed the
Permissionable::setUserId(array($userId,6,7)); in the file
[path]\app\plugins\permissionable\controllers\components
\permissionable.php
where 6,7 are other user IDs I get the following query generated with
beforeFind() callback function from the file [path]\app\plugins
\permissionable\models\behaviors\permissionable.php
SELECT `Contact`.*, `ContactPermissionBit`.* FROM `contacts` AS
`Contact` INNER JOIN `permission_bits` AS `ContactPermissionBit` ON
(`ContactPermissionBit`.`foreign_id` = `Contact`.`id` AND
`ContactPermissionBit`.`model` = 'Contact' AND
`ContactPermissionBit`.`foreign_id` = `Contact`.`id` AND
((`ContactPermissionBit`.`perms`4 0) OR
(((`ContactPermissionBit`.`perms`32 0) AND
(`ContactPermissionBit`.`gid` = 2))) OR
(((`ContactPermissionBit`.`perms`256 0) AND
(`ContactPermissionBit`.`uid` IN (2,6,7)) WHERE 1 = 1 LIMIT 20
Look at the last part of the query IN (2,6,7) that happens with the
array of user ids. But this will affect the afterSave() callback in
Re: please any one can help me to convert this complex query in to cakephp
$campaigns-find('all', array(
'fields' = array(
'Campaign.campaign_id',
'Campaign.supplier_id',
'Campaign.brand',
'Campaign.end_date'
),
'joins' = array(
array(
'type' = 'INNER',
'table' = 'campaign_stores',
'alias' = 'CampaignStore',
'foreignKey' = false,
'conditions' = array(
'Campaign.campaign_id =
CampaignStore.campaign_id'
)
),
array(
'type' = 'INNER',
'table' = 'stores',
'alias' = 'Store',
'foreignKey' = false,
'conditions' = array(
'Store.store_id = CampaignStore.store_id',
'Store.store_id' = 3
)
)
),
'conditions' = array(
'Campaign.status NOT' = array('request','cancelled'),
'or' = array(
array(
'Campaign.start_date =' = '2010-05-19',
'Campaign.start_date =' = '2010-06-30'
),
array(
'Campaign.end_date =' = '2010-05-19',
'Campaign.end_date =' = '2010-06-30'
)
)
)
));
don't forget to put conditions where they belong, and that the LEFT
join will not filter correctly whereas the INNER join will.
-joshua
On May 20, 7:20 am, Narendra Padala crazycake...@gmail.com wrote:
Hi All, I am new to cakephp
please any one can help me to convert this complex query in to cakephp
Query SELECT `c`.`campaign_id`, `c`.`supplier_id`, `c`.`brand`,
`c`.`start_date`,
`c`.`end_date` FRamOM `campaigns` as `c`
LEFT JOIN `campaign_stores` as `cs` ON `c`.`campaign_id`
= `cs`.`campaign_id`
LEFT JOIN `stores` as `s` ON `cs`.`store_id` =
`s`.`store_id`
WHERE
((c.start_date = '2010-05-19' AND c.start_date =
'2010-06-30')
OR (c.end_date = '2010-05-19' AND c.end_date =
'2010-06-30')
OR ('2010-05-19' = c.start_date AND '2010-05-19' =
c.end_date)
OR ('2010-06-30' = c.start_date AND '2010-06-30' =
c.end_date))
AND `c`.`status` NOT IN ('request', 'cancelled')
AND `s`.`store_id` = '3'
Thanks in adavance
On Thu, May 20, 2010 at 6:45 PM, Jeremy Burns jeremybu...@me.com wrote:
It's TestStore - I just posted a correction.
Jeremy Burns
jeremybu...@me.com jeremybu...@mac.com
On 20 May 2010, at 14:14, Narendra Padala wrote:
hi here model class name
Table test_stores: test_store.php, model class TestStores
TestStores or TestStore. i have doubt let me clarify please
var $name=TestStores; or var $name=TestStore
On Thu, May 20, 2010 at 6:32 PM, Jeremy Burns jeremybu...@me.com wrote:
Model conventions:http://book.cakephp.org/view/901/CakePHP-Conventions
But in case you can't be bothered to read it, let me spell it out for you.
Table name - lower case, plural, underscored.
Field names: lowercase, underscored.
Model filename: Singular, camel cased.
Model class name: Singular, camel cased.
So your models are:
Table stores: store.php, model class Store
Table test_stores: test_store.php, model class TestStores
Jeremy Burns
jeremybu...@me.com jeremybu...@mac.com
(Skype) +44208 123 3822(jeremy_burns)
(m) +44 7973 481949
(h) +44 208 530 7573
On 20 May 2010, at 13:54, Narendra Padala wrote:
Hi...All i am new to cakephp, i have problem in creating model please help
me out...!
My table names like this
Table one : stores
Table two : test_stores
For one i create like this.
File name: store.php
?php
class Stores extends AppModel {
var $name = 'Store';
}
?
For second table how can i create model help me out.?
For test_stores this how can i create model ?
Thanks in Advance.
Check out the new CakePHP Questions sitehttp://cakeqs.organd help
others with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group
athttp://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions sitehttp://cakeqs.organd help
others with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
Metadata plugin for CakePHP 1.3+
all, if you have ever needed a way to store arbitrary non-schema data for your models, then i have made a solution for you. i'd like to introduce my new plugin for cakephp 1.3+: Metadata Plugin. to learn more about what it can do and how it works, take a look at http://jmcneese.wordpress.com/2010/02/11/whats-this-data-about-data/ happy baking! joshua mcneese Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: CakeFest IV - America - Help us pick a location!
i vote Seattle, San Francisco or NYC, in order of preference... Joshua McNeese -- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cake-php?hl=.
Re: ACL: Filter out results based on permissions
this might work for you:
http://jmcneese.wordpress.com/2009/04/19/rmac-ftw-part-1/
On Aug 15, 6:50 am, Adrian gond...@gmail.com wrote:
Hi
I am trying to filter out records based on acl permissions.
I have my aro/acos and permissions set up but need a way to filter
results out from my tickets table based on the acl rules. I have
this working already in the afterFind() callback of my tickets
controller, I loop through the results, do an acl-check(...read) on
each ticket id and unset() the ones where the user does not have
permission to read:
---
App::import('Model', 'CakeSession');
$session = new CakeSession();
// ACL
App::import('Component', 'Acl');
$acl = new AclComponent();
$loggedInUser = $session-read('Auth.User');
foreach($results as $key = $value) {
if(!$acl-check(array('model' = 'User',
'foreign_key' =
$loggedInUser['user_id']), 'Ticket.' . $value['Ticket']['ticket_id'],
'read')) {
unset($results[$key]);
}
}
---
This works but when listing all tickets there are over 2000 records,
resulting in very slow loading times.
Does anyone have any ideas of another approach to this?
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Poll: what do you hate about CakePHP?
*chuckle*
my two cents is that if it doesn't do what you want it to, then
fucking code the solution for what your problem is, and then submit
patches/tests to trac.
On May 8, 7:08 am, Smelly Eddie ollit...@gmail.com wrote:
I hate that it is a powerful framework that can make the tedious work
of developing sites a breeze. Its strict adherence to the tried and
true MVC model is a pain point as well. Why so logical?
I hate the active community involvement and powerful documentation and
API sites. I hate that people expect Cake to do every little thing.
It is a framework! Not a solve everything-all-in-one-cms-portal-file-
manager-blog-forum.
Use the framework to create an upload component, it takes all of 5
minutes!!
On May 8, 8:56 am, Dennis S. Hennen dennis.hen...@gmail.com wrote:
Consider Post hasMany Comment
Comment-find('all') returns {n}.Comment.*
Post-find('all') gives you Comment.{n}.*
If I want a helper to do processing on a list of comments, I have to
handle both potential formats, or massage the data.
Related to this is the $primary parameter to the afterFind callback.
Perhaps find results as objects instead of arrays?
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Trying to Understand the Containable Behavior
wow, you guys are all making this way more difficult than it needs to be. KISS! rob's problem isn't really all that complex. there's a polymorphic alerts model that attaches to multiple models that are all interrelated. so far so good. rob, the best place to learn about the syntax is http://book.cakephp.org/view/78/Associations-Linking-Models-Together and http://api.cakephp.org/class/model i'll give you a quick rundown of what it's doing and why, but you need to learn the section on models inside and out, backwards and forwards. it will save you much time in the future. to address all of the other suggestions: they have been completely overkill and/or off-the-mark. this functionality is built-in and very easy to use. rob, the reason why you use a different name, or define and alias for a model, it's because you might be using the same model in the same query more than once. think: if you queried account and it's associated alerts, along with related campains and it's alerts... how does the DB know which alerts go with with other table (campaigns/ accounts)? thus are aliases useful and necessary. let's go over all the bits: public $hasMany = array( 'AccountAlert' = array( // this is the alias. if you follow the convention of current model + other model, AccountAlert is the alias 'className' = 'Alert', // this tells cake that you will be using the Alert model, since we have specified a custom alias 'foreignKey' = 'entity_id', // this is the foreign key in the alerts table that we will join on 'conditions' = array( 'AccountAlert.model' = 'Account' // this is a field that i assume lives in your alerts table, so you know that the entity_id relates to ), 'type' = 'LEFT' // this is totally optional, but you can specify what type of join you want to use. play around to find out what works best for you ) ); after you've done this to all the models that are related to alerts, then it's just a matter of doing a $model-contain() to specify how deep you want to go, and then a $model-read() or -find(). feel free to ping me if you need further help. On May 4, 4:34 am, j0n4s.h4rtm...@googlemail.com j0n4s.h4rtm...@googlemail.com wrote: First of all, at least to me, you will either have to use Polymorphic Behavior OR you cannot use foreignKey but need to use multiple FKs per model. Following example would NOT use polymorphic (but some FKs being NULL instead) - it uses one FK per model that is bound to Alert. Account HasMany Campain, Campain BelongsTo Account (account_id in campains table) Campain HasMany Creative, Creative BelongsTo Campain (campain_id in creatives table) Account HasMany Alert, Alert BelongsTo Account (account_id in alerts table) Campain HansMany Alert, Alert BelongsTo Campain (campain_id in alerts table) Creative HansMany Alert, Alert BelongsTo Creative (creative_id in alerts table) Make sure those are setup correcty. Setup those in your DB and use cake bake to create the models. If you are working in an already finished app, just separate the problem into a new app and bake that app. I am still not sure if this works but I would try something like this: ?php $allAlerts = $this-Account-find( 'all', array( 'fields' = array( 'Alert.title', 'Alert.body', 'Alert.created', ), 'conditions' = array( // This selects a given Account - if you want multiple try 'Account.id' = array(1, 2, 3), should result into IN(1,2,3) 'Account.id' = $givenAccountid, // This does the joins 'Account.id' = 'Campain.account_id' 'Campain.id' = 'Creative.comapin_id' // This selects all of the possible alerts 'OR' = array( 'Alert.account_id' = 'Account.id' 'Alert.campain_id' = 'Campain.id' 'Alert.creative_id' = 'Creative.id' ) ) 'order' = 'Alert.created DESC' ) ); ? Set debug = 2 in core.php and see if the queries do the right thing. If that, I am again not sure but maybe you can switch to contains this way: ?php $allAlerts = $this-Account-find( 'all', array( 'fields' = array( 'Alert.title', 'Alert.body', 'Alert.created', ), // This does the joins
Re: Trying to Understand the Containable Behavior
it works if you associate your models correctly. in each of your models, associate them with the Alert model, like so: public $hasMany = array( 'AccountAlert' = array( 'className' = 'Alert', 'foreignKey' = 'entity_id', 'conditions' = array( 'AccountAlert.model' = 'Account' ) ) ); do this with each model that has alerts, making sure to put the correct model name in the appropriate places. and then: $accountModel-contain(array( 'AccountAlert', 'Campaign' = array( 'CampaignAlert', 'Creative' = 'CreativeAlert' )); $accountModel-read(null, $account_id); joshua http://jmcneese.wordpress.com On May 2, 5:25 pm, Rob Wilkerson r...@robwilkerson.org wrote: I'm trying to do something that I think is reasonably complex (and maybe outside of what the behavior was intended to do) with the Containable behavior and, although I seem to be dancing all around it, I can't get it quite right. I'm hoping someone here can either tell me I'm trying to do something that can't be done or help me get it right. I have models for Account, Campaign and Creative. An Account hasMany Campaign and a Campaign hasMany Creative. I have an alert model that belongs to all of these via a generic entity_id foreign key. This allows me to set an alert for any of these models and retrieve them accordingly without having to create a bunch of separate models. So here's the thing: What I'd like to do is, for a given Account, retrieve all of the alerts that are relevant to that Account - including those related to its Campaigns and the Creatives related to the Campaigns. I think (or maybe hope is more appropriate) that's possible using Containable. Ideally, I'd like to get back an array containing the Alert object and the object to which it belongs, but no empty objects. In other words, don't return an Account object if the Alert is attached to a Campaign. I've tried separately containing those models as well as containing them in a nested manner. Here is the current code for the nested containment being called from the Account model: $alerts = $this-Alert-find ( 'all', array ( 'contain' = array ( 'Account' = array ( 'conditions' = array ( 'Account.id' = $account_id ), 'Campaign' = array ( 'conditions' = array ( 'Campaign.account_id' = $account_id ) ) ) ) ) ); Any thoughts would be much appreciated. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Row-level Model Access Control for CakePHP
updated, for those interested: http://jmcneese.wordpress.com/2009/04/19/rmac-ftw-part-1/ --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Row-level Model Access Control for CakePHP, updated
for those interested: http://jmcneese.wordpress.com/2009/04/19/rmac-ftw-part-1/ --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Using UUID's
hey dave, the long and short of it is: yes, it does impact performance, but for most people it is negligible. it has it's pros and cons just like anything, but if you ever are going to scale your app across multiple servers/clusters/cloud, then uuid is the way to go, due to it's unique nature. take a look here: http://krow.livejournal.com/497839.html On Apr 17, 11:21 am, Dave Maharaj :: WidePixels.com d...@widepixels.com wrote: I have been reading about Cakes' Using UUIDs as Primary Keys and in my case I think it would be a much to get info from queries. But 2 questions. Would the tables now look similar to this? User Table: id char(36) Accociated Tables: user_id char(36)... (I know I had to ask...im new at this and still on my first cake site) And what performace impact does this have on the database? Site I am developing may have up to 20 thousand plus users.Its it going to be faster because everything is tied to 1 unique id across all tables? Or will it slow it down because of the size of the UUID? Thanks for any info, Dave --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: ACL - How to handle multiple nested levels of accounts
i guess the theoretical limit on a 32bit system is 4,294,967,296 (2^32), but my first question would be do you need unlimited groups, or unlimited roles? roles being the classification of user where actual ACL permissions are attached (role a can access the users::add method, but role b is not, etc)... a user could have an unlimited amount of roles. On Apr 10, 12:49 pm, zonium zon...@gmail.com wrote: Thank you jmcneese for showing me an alternative to the cake's ACL. Your articles help me understand weaknesses of ACL when used to safeguard records. It's was interesting to see immediate attentions/ reactions from the core developers on those articles as well. One problem (in my case) with the solution you presented is that groups are powers of two.This limits the number of groups to the number of bits in an integer. I have unlimited numbers of groups. Besides, in my case, groups are not in one table where I can use parent_id linking entries for tree behavior to work. I am still looking for advice. Would like to hear from any one who has dealt with a similar situation as mine. On Apr 7, 7:09 am, jmcneese jmcne...@gmail.com wrote: would this help? http://jmcneese.wordpress.com/2009/04/05/row-level-model-access-contr... --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Row-level Model Access Control for CakePHP
absolutely, martin, i'd be honored. On Apr 6, 8:57 am, mradosta martinrado...@gmail.com wrote: Good to know other people are working on this. My implmentation presented in last cakefest (Buenos Aires 2008) well described by Mark Story here:http://cakedc.com/developer/mark_story/2008/12/04/martin-radosta-reco... The ppt or odp slides I've prepared for the cakefest (spanish version) here:http://www.pragtico.com.ar/downloads/cakefest-08-v2.ppthttp://www.pragtico.com.ar/downloads/cakefest-08-v2.odp I'm working on a (plug play) plugin version of this behavior that I'll try to present in the next cakefest, so developers don't need to know nothing about bitwise operations, etc, etc. So, if you (or someone else) would like to join this project, feel free to contact me. I'll open a github project soon. Regards MARTIN On Apr 6, 10:46 am, jmcneese jmcne...@gmail.com wrote: since i've seen it talked about in the groups many, many, MANY times: http://jmcneese.wordpress.com/2009/04/05/row-level-model-access-contr... --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Row-level Model Access Control for CakePHP
brian,
the the filesystem context, i agree, it wouldn't make much sense. but
in the context of just getting a list of groups that the user can see,
it does. consider: if a user is in Global Internal Users
Editors, they would be in all three of those groups with my system.
they would be able to assign new records to any or all of the three
groups they are in. if they can't see the global group, they wouldn't
be able to assign a new row to that group.
i have a layout similar to yours, a sort of VFS called
ContentFolder. it looks like this:
All Users
- some folder
-- some other folder
Group Folders
- Group A
-- stuff to do
-- hot shit
- Group B
- Group C
Personal Folders
- inbox
the All/Group/Personal folders have an other read permission on
them, so that everyone can see them. all other users have folders
under the personal folder, but obviously the logged-in user can only
see his own. there are folders for each group under the group folder,
but the user can only see the groups he's in, etc.
On Apr 6, 10:51 am, brian bally.z...@gmail.com wrote:
Thanks for posting this. I'm currently trying to work out how to do
this. I took a look at your behavior and think it'd work for me.
About the point you mentioned with Tree-based models: I'd think that
if a User needed to be granted access to some row which had a parent
that the User had been denied then the layout of your tree is wrong.
If you think about a filesystem, if user cannot read/execute some
directory, there's no point in having a file somewhere under it which
gives read perms.
My situation is that I have several Groups, and I need to restrict
which branches of a Volume tree they can see. Basically, like
filesystem tree, in fact. So, I was faced with having to fetch all
available Volume.id and pass those to my find('threaded') call, like
you mention how Mark Story put it: you have to know the answer to the
question before you even ask it. This works, but seems sub-optimal.
Anyway, I'll give this a go later. Thanks again.
On Mon, Apr 6, 2009 at 9:46 AM, jmcneese jmcne...@gmail.com wrote:
since i've seen it talked about in the groups many, many, MANY times:
http://jmcneese.wordpress.com/2009/04/05/row-level-model-access-contr...
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: ACL - How to handle multiple nested levels of accounts
would this help? http://jmcneese.wordpress.com/2009/04/05/row-level-model-access-control-for-cakephp/ On Apr 7, 1:06 am, zonium zon...@gmail.com wrote: I'm rebuilding the admin part of a legacy application which has multiple account types and multiple levels of authority and I’m thinking using ACL and seeking some advice. Here are some background: The application needs to handle 4 types of accounts 1-Administrators 2-ContentManagers 3-SiteModerators 4-Authors and several types of resources: - Content - Report Levels of accounts and rules are as followed: Administrators -Admin1 -Admin2 -ContentManagerX -Author1 -Author2 -SiteModeratorA -Author3 -Author4 -SiteModeratorB -Author5 -Author6 -SiteModeratorC -Author7 -Author8 -Author9 -Author10 Each account logs into the admin interface using username and password. Each Admin, ContentManager, SiteModerator and Author has ONE account to create/manage + their own accounts/profiles and accounts/profiles of lower level accounts'. + the content items created by themselves and by lower level accounts' Example: A ContentManagerX can create many SiteModerators (e.g SiteModeratorA, SiteModeratorB, SiteModeratorC) and can manage + accounts/profiles of SiteModeratorA,B,C and content items created by of SiteModeratorA,B,C + account/profiles of Authors (3,4,5,6,7,8) - created by SiteModerators + account/profiles and content items of Authors (1,2) - created by ContentManagerX itself Administrator can create/manage many ContenManagers (X,Y,Z). Except for admin users, an user account at any level should NOT have access to accounts/profiles and content items not under its authority. For example SiteModeratorA should NOT have access to SiteModeratorB's, Author5's and 6’s accounts/profiles and their content items ContentManagerY (not shown on the figure) should NOT have access to accounts and resources that belongs to ContentManagerX There are potentially a couple of millions of content items There are potentially 50K of accounts Most tutorials on the net offer solutions where users belong to fixed groups (e.g Admin / Managers /Users) but my case is a bit different. Levels of accounts are nested. Accounts are also dynamic, meaning I have an unknown number of accounts of ContentManager (X,Y,Z ect.) and those accounts can give birth to an unknown number of SiteModerator (A,B,C etc.). An Author (end user) can be created by/at any level. Authors can register themselves as well (eg. Author 9, 10) The profiles structure are completely different from one account type to another; in order to normalize tables I probably won't put profiles in one single table with parent_id linking entries as found in traditional ‘users’ and ‘groups’ tables. Questions: --- 1 - Naturally, to provide protections at record level I might have to create ARO, ACO and AROs_ACOs entries for all existing accounts / content items. Not only that requires a large amount of work but I am worrying about the performance . How can I avoid this? What is the solution to keep aros, acos and aros_acos table light. (most tutorials including the one on IBM site suggest adding aros/acos for every account and resource item - not sure if it is always a practical approach) 2 – What is the consideration if I use ‘actions’ mode for Auth (e.g Auth::authorize = ‘actions’), I know this mode requires me make an inventory of all controller/action to create acos. 3– Or should I use ‘crud’ mode (e.g Auth::authorize = 'crud'? ) in conjunction with Auth::actionMap 4- would it be better to create an 'users' table to store just accounts (username / password) or they can be spread out into the tables for different account types (content_managers, site_moderators, authors ). 5- Is it easier and more flexible to just use Auth::authorize = ‘controller’ and put all permission checking logic in Controller::isAuthorize() ? Any suggestion is appreciated ( and welcome comments from aranworld, lemoncake, mark_story, francky06l and AD7six - Many thanks to each of you for excellent tutorials on ACL) Zonium --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Cakephp - ExtJS or YUI!
i have done a couple projects that are extjs front-ends backed by cake. what exactly are you trying to do? On Apr 3, 10:35 pm, baur79 bau...@gmail.com wrote: Hi everyone, is there any of you have experience to implement this libraries into your Cakephp projects. we want to implement advanced feather of girds of those libraries. please light on us. Best regards Baurzhan Kazakhstan / megahosting.kz --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Row-level Model Access Control for CakePHP
since i've seen it talked about in the groups many, many, MANY times: http://jmcneese.wordpress.com/2009/04/05/row-level-model-access-control-for-cakephp/ --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
