Re: ACL Question
Hi Ed, Are you trying to say managing the actions only and sometimes it affects your CRUD ? I'm not en expert in this area, but giving my shot is: Use routing? That area is strange for me. Are you trying to hide some of the CRUD buttons for some users and not all? I think you can do that, I read that somewhere although I didn't manage to accomplish. Best wishes, cheers. John Maxim. On Jan 18, 12:18 am, CrotchFrog crotchf...@gmail.com wrote: Hi John, I do use a plugin to manage permissions and it seems to work quite well although I still prefer the shell interface for adding/removing aro/ aco and creating permissions on the fly. The grey area for me right now is authorizing CRUD vs. otherActions. I know that I can use Auth-mapActions and treat otherActions as CRUD but I assumed that Auth-authorize='actions' would allow me grant/ deny permissions on that action regardless of what the action does in relation to CRUD. I guess I'm still a bit confused here. On Jan 15, 11:02 pm, John Maxim goog...@gmail.com wrote: Hi Ed, You can customise your users permission using ACL plugin. I suggest finding one on your own, the current one I use has a drawback when I have over 10 groups with different permission settings. The role permission setting stops working. However, it's still effective if I view users roles or users permission, and from there we can customise the users permission. You may want to refer to this: http://www.alaxos.net/blaxos/pages/view/7 I'm not sure if you can find a better one or make one. The recommended ACL plugins can be found here: Mark Story's ACL extras and menu components. http://josediazgonzalez.com/2010/08/16/cakephp-plugins-a-biblical-ret... If anytime you managed to get one working better than any above, share with me. :-) Best regards, Maxim. On Jan 16, 9:59 am, Ed Propsner crotchf...@gmail.com wrote: I've been plugging away with Cake for some time now with extremely few issues. I recently decided that ACL was the right choice for my app ... now I have issues :) I've toyed with it long enough now that I understand the concept and mechanics of it but the issue I'm having is this: When granting access, it seems to be all or nothing. If I take the Group users for example, access has to be at CRUD 1 1 1 1 or sitewide access is denied. Changing it to CRUD 1 1 1 0 denies access not just to the controller or parts of it, but the entire app. I was assuming that ultimately I would be able deny access to any controller/action that I want but it doesn't seem to be working out that way for me. What I am overlooking here? I referenced the tutorial in the book when putting the ACL together so the set-up is very straightforward. I didn't try to do anything fancy or creative with it, it's all by the book. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: ACL Question
Hi John, I do use a plugin to manage permissions and it seems to work quite well although I still prefer the shell interface for adding/removing aro/ aco and creating permissions on the fly. The grey area for me right now is authorizing CRUD vs. otherActions. I know that I can use Auth-mapActions and treat otherActions as CRUD but I assumed that Auth-authorize='actions' would allow me grant/ deny permissions on that action regardless of what the action does in relation to CRUD. I guess I'm still a bit confused here. On Jan 15, 11:02 pm, John Maxim goog...@gmail.com wrote: Hi Ed, You can customise your users permission using ACL plugin. I suggest finding one on your own, the current one I use has a drawback when I have over 10 groups with different permission settings. The role permission setting stops working. However, it's still effective if I view users roles or users permission, and from there we can customise the users permission. You may want to refer to this: http://www.alaxos.net/blaxos/pages/view/7 I'm not sure if you can find a better one or make one. The recommended ACL plugins can be found here: Mark Story's ACL extras and menu components. http://josediazgonzalez.com/2010/08/16/cakephp-plugins-a-biblical-ret... If anytime you managed to get one working better than any above, share with me. :-) Best regards, Maxim. On Jan 16, 9:59 am, Ed Propsner crotchf...@gmail.com wrote: I've been plugging away with Cake for some time now with extremely few issues. I recently decided that ACL was the right choice for my app ... now I have issues :) I've toyed with it long enough now that I understand the concept and mechanics of it but the issue I'm having is this: When granting access, it seems to be all or nothing. If I take the Group users for example, access has to be at CRUD 1 1 1 1 or sitewide access is denied. Changing it to CRUD 1 1 1 0 denies access not just to the controller or parts of it, but the entire app. I was assuming that ultimately I would be able deny access to any controller/action that I want but it doesn't seem to be working out that way for me. What I am overlooking here? I referenced the tutorial in the book when putting the ACL together so the set-up is very straightforward. I didn't try to do anything fancy or creative with it, it's all by the book. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
ACL Question
I've been plugging away with Cake for some time now with extremely few issues. I recently decided that ACL was the right choice for my app ... now I have issues :) I've toyed with it long enough now that I understand the concept and mechanics of it but the issue I'm having is this: When granting access, it seems to be all or nothing. If I take the Group users for example, access has to be at CRUD 1 1 1 1 or sitewide access is denied. Changing it to CRUD 1 1 1 0 denies access not just to the controller or parts of it, but the entire app. I was assuming that ultimately I would be able deny access to any controller/action that I want but it doesn't seem to be working out that way for me. What I am overlooking here? I referenced the tutorial in the book when putting the ACL together so the set-up is very straightforward. I didn't try to do anything fancy or creative with it, it's all by the book. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: ACL Question
Hi Ed, You can customise your users permission using ACL plugin. I suggest finding one on your own, the current one I use has a drawback when I have over 10 groups with different permission settings. The role permission setting stops working. However, it's still effective if I view users roles or users permission, and from there we can customise the users permission. You may want to refer to this: http://www.alaxos.net/blaxos/pages/view/7 I'm not sure if you can find a better one or make one. The recommended ACL plugins can be found here: Mark Story's ACL extras and menu components. http://josediazgonzalez.com/2010/08/16/cakephp-plugins-a-biblical-retelling/ If anytime you managed to get one working better than any above, share with me. :-) Best regards, Maxim. On Jan 16, 9:59 am, Ed Propsner crotchf...@gmail.com wrote: I've been plugging away with Cake for some time now with extremely few issues. I recently decided that ACL was the right choice for my app ... now I have issues :) I've toyed with it long enough now that I understand the concept and mechanics of it but the issue I'm having is this: When granting access, it seems to be all or nothing. If I take the Group users for example, access has to be at CRUD 1 1 1 1 or sitewide access is denied. Changing it to CRUD 1 1 1 0 denies access not just to the controller or parts of it, but the entire app. I was assuming that ultimately I would be able deny access to any controller/action that I want but it doesn't seem to be working out that way for me. What I am overlooking here? I referenced the tutorial in the book when putting the ACL together so the set-up is very straightforward. I didn't try to do anything fancy or creative with it, it's all by the book. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Basic ACL question; Why have all users in the ARO?
try this : http://book.cakephp.org/view/465/Understanding-How-ACL-Works sometimes, maybe you will need to create groups for users but in those groups there will must be some users, who have special - premium acces ... 2010/3/23 xtraorange xtraora...@gmail.com: Howdy all, Maybe someone can explain this to me, because I'm just having trouble understanding: In the tutorial (http://book.cakephp.org/view/641/Simple-Acl- controlled-Application) the author seems to be suggesting that all users should be listed in the ARO table (and their group updated as needed). The thing that I don't understand about this is why? Wouldn't it make more sense to just list the users that need special permission, and for everyone else just check what their group_id is in the user table, and use said for their permission levels? I doubt I'll even have one user that will need a different set of permissions other than what the groups will be set to... so is it really necessary to list all my users in that table? What's the advantage there? Thanks! James Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en To unsubscribe from this group, send email to cake-php+unsubscribegooglegroups.com or reply to this email with the words REMOVE ME as the subject. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en To unsubscribe from this group, send email to cake-php+unsubscribegooglegroups.com or reply to this email with the words REMOVE ME as the subject.
Re: Basic ACL question; Why have all users in the ARO?
It's entirely possible that I may have misread or misunderstood that example.. but it seemed to me like all the users were again in the ARO table. Did I not read that right? What I should really do is rephrase my question: Is there a tutorial that would guide me on use the ACL without adding every one of my users (which there will be a ton of) into the ARO table needlessly? Instead I'd like to just add the ones that need special permissions that exceed group permissions (if there are any at all). Is this possible and where could I find a guide on it? :) Thanks, James On Mar 23, 2:57 am, Martin Duris mato.du...@gmail.com wrote: try this :http://book.cakephp.org/view/465/Understanding-How-ACL-Works sometimes, maybe you will need to create groups for users but in those groups there will must be some users, who have special - premium acces ... 2010/3/23 xtraorange xtraora...@gmail.com: Howdy all, Maybe someone can explain this to me, because I'm just having trouble understanding: In the tutorial (http://book.cakephp.org/view/641/Simple-Acl- controlled-Application) the author seems to be suggesting that all users should be listed in the ARO table (and their group updated as needed). The thing that I don't understand about this is why? Wouldn't it make more sense to just list the users that need special permission, and for everyone else just check what their group_id is in the user table, and use said for their permission levels? I doubt I'll even have one user that will need a different set of permissions other than what the groups will be set to... so is it really necessary to list all my users in that table? What's the advantage there? Thanks! James Check out the new CakePHP Questions sitehttp://cakeqs.organd help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php?hl=en To unsubscribe from this group, send email to cake-php+unsubscribegooglegroups.com or reply to this email with the words REMOVE ME as the subject. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en To unsubscribe from this group, send email to cake-php+unsubscribegooglegroups.com or reply to this email with the words REMOVE ME as the subject.
Basic ACL question; Why have all users in the ARO?
Howdy all, Maybe someone can explain this to me, because I'm just having trouble understanding: In the tutorial (http://book.cakephp.org/view/641/Simple-Acl- controlled-Application) the author seems to be suggesting that all users should be listed in the ARO table (and their group updated as needed). The thing that I don't understand about this is why? Wouldn't it make more sense to just list the users that need special permission, and for everyone else just check what their group_id is in the user table, and use said for their permission levels? I doubt I'll even have one user that will need a different set of permissions other than what the groups will be set to... so is it really necessary to list all my users in that table? What's the advantage there? Thanks! James Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en To unsubscribe from this group, send email to cake-php+unsubscribegooglegroups.com or reply to this email with the words REMOVE ME as the subject.
Re: ACL Question
I was getting this self same error even though I had not declared any interest in Acl. It is not being called as a component, I am not calling any of its methods and the cache is completely clear. I am posting this as I made a schoolboy error and it might help prevent others doing the same. I tracked it down to the fact that in my app_controller I had: $this-Auth-authorize = 'actions'; This is only used when you are implementing Acl as well as Auth. If you are not using Acl, use this: $this-Auth-authorize = 'controller'; I made the mistake as I copied some code from the tutorial to help me set up Auth correctly. Of course, the tutorial also covers Acl, hence the mistake. Jeremy Burns jeremybu...@me.com On 15 Jan 2010, at 16:33, Dave wrote: Yeah it was only in the app_controller, but I just dumped cache folder and seemed to clear it up. Thanks, Dave -Original Message- From: cake-php@googlegroups.com [mailto:cake-...@googlegroups.com] On Behalf Of scs Sent: January-15-10 12:51 PM To: CakePHP Subject: Re: ACL Question Make sure you do not have var $components = array('Acl'); in you app_controller or any other controllers On Jan 14, 8:48 pm, Dave make.cake.b...@gmail.com wrote: I get this error as soon as i login Could not find AclComponent. Please include Acl in Controller::$components. [CORE/cake/libs/controller/components/auth.php, line 378] Fatal error: Call to a member function check() on a non-object in /home4/public_html/cake/libs/controller/components/auth.php on line 480 But I am not using ACL, nor do I want to. Cant seem to figure out where this is coming from or why. Any ideas? No idea where to start Thanks Dave No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.725 / Virus Database: 270.14.139/2620 - Release Date: 01/15/10 09:17:00 Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
ACL Question
I have Autho and ACL setup correctly - I believe. No issues with logging in etc. My problem is the permissions. When I assign permissions my aros_acos table is populated with the proper info but I tried something a bit different and dont know which route to take. When I run this: $this-Acl-allow($group, 'controllers/Infos', 'read'); $this-Acl-allow($group, 'controllers/Infos', 'create'); $this-Acl-allow($group, 'controllers/Infos', 'update'); I get an aros_acos row with the proper data but for the parent controller Infos with create, read, update with 1s and delete with a 0, instead of getting a row for each method in the controller. I see lots of people assigning permissions like so: $this-Acl-allow($group, 'controllers/Items/index'); $this-Acl-allow($group, 'controllers/Items/view'); $this-Acl-allow($group, 'controllers/Items/add'); $this-Acl-allow($group, 'controllers/Items/edit'); The only issue I have with the above is that unless I assign allow permissions to the controller as a whole: $this-Acl-allow($group, 'controllers/Items'); None of the permissions will work, I get locked out, even though there is a row in the aros_acos table for each method I am allowing permissions too. Anyone have any thoughts on this? I'm brutally lost... Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: ACL Question
Make sure you do not have var $components = array('Acl'); in you app_controller or any other controllers On Jan 14, 8:48 pm, Dave make.cake.b...@gmail.com wrote: I get this error as soon as i login Could not find AclComponent. Please include Acl in Controller::$components. [CORE/cake/libs/controller/components/auth.php, line 378] Fatal error: Call to a member function check() on a non-object in /home4/public_html/cake/libs/controller/components/auth.php on line 480 But I am not using ACL, nor do I want to. Cant seem to figure out where this is coming from or why. Any ideas? No idea where to start Thanks Dave Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
RE: ACL Question
Yeah it was only in the app_controller, but I just dumped cache folder and seemed to clear it up. Thanks, Dave -Original Message- From: cake-php@googlegroups.com [mailto:cake-...@googlegroups.com] On Behalf Of scs Sent: January-15-10 12:51 PM To: CakePHP Subject: Re: ACL Question Make sure you do not have var $components = array('Acl'); in you app_controller or any other controllers On Jan 14, 8:48 pm, Dave make.cake.b...@gmail.com wrote: I get this error as soon as i login Could not find AclComponent. Please include Acl in Controller::$components. [CORE/cake/libs/controller/components/auth.php, line 378] Fatal error: Call to a member function check() on a non-object in /home4/public_html/cake/libs/controller/components/auth.php on line 480 But I am not using ACL, nor do I want to. Cant seem to figure out where this is coming from or why. Any ideas? No idea where to start Thanks Dave No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.725 / Virus Database: 270.14.139/2620 - Release Date: 01/15/10 09:17:00 Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: ACL Question
Yeah it was only in the app_controller, but I just dumped cache folder and seemed to clear it up. If it's in AppController then all controllers inherit and will use it. Any components you put in a specific controller are merged with Appcontroller's, not overwritten. j -- jon bennett - www.jben.net - blog.jben.net Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
RE: ACL Question
I know. I was removing ACL from the app. It was only in app_controller but when I removed it I was getting errors. That's all, its all good. Thanks Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
ACL Question
I get this error as soon as i login Could not find AclComponent. Please include Acl in Controller::$components. [CORE/cake/libs/controller/components/auth.php, line 378] Fatal error: Call to a member function check() on a non-object in /home4/public_html/cake/libs/controller/components/auth.php on line 480 But I am not using ACL, nor do I want to. Cant seem to figure out where this is coming from or why. Any ideas? No idea where to start Thanks Dave Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
InitDB ACL Question
When setting up the initDB() function for routing do you set it up as function name or url? $this-Acl-allow($role, 'controllers/Posts/manage_index'); or $this-Acl-allow($role, 'controllers/Posts/manage/index'); assuming manage is the admin routing prefix which is correct for the posts function manage_index () ? Thanks Dave Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
ACL Question
I have 2 groups which are added by their respectful controller/model (Agent, Scout) So whena Agent or Scout is created in the AROS Table is shows up id parent_id model foreign_key alias lft rght 92 3 Scout 4 NULL104 105 105 4 Agent 3 NULL196 197 BuildACL function and initDB But I know there is something wrong with my initDB setup because I get: Warning (512): AclNode::node() - Couldn't find Aro node identified by Array ( [Aro0.model] = User [Aro0.foreign_key] = 3 ) [CORE/cake/libs/model/db_acl.php, line 148] There is no User Model...not sure why its looking for User? How would you fix this initDB? function initDB() { $role = $this-User-Role; //Allow admins to everything $role-id = '1'; $this-Acl-allow($role, 'controllers'); //allow managers $role-id = '2'; $this-Acl-deny($role, 'controllers'); $this-Acl-allow($role, 'controllers/Experiences'); $this-Acl-allow($role, 'controllers/Notes'); $this-Acl-allow($role, 'controllers/Portfolios'); $this-Acl-allow($role, 'controllers/Teams'); //allow Agents to $role-id = '3'; $this-Acl-deny($role, 'controllers'); $this-Acl-allow($role, 'controllers/Experiences'); $this-Acl-allow($role, 'controllers/Notes'); $this-Acl-allow($role, 'controllers/Portfolios'); $this-Acl-allow($role, 'controllers/Teams'); //allow Scouts to $role-id = '4'; $this-Acl-deny($role, 'controllers'); $this-Acl-allow($role, 'controllers/Teams/scout_view'); } Dave --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Auth / ACL Question
Quick question about setting up permissions. I am using admin routing configured to manage so all functions have manage_name now in the initDB function inthe cookbook $this-Acl-allow($role, 'controllers/Images'); if i wanted that user to be limited to only manage functions is this the correct way to set it up? $this-Acl-allow($role, 'controllers/Images/manage/'); or do you have to do it function by function? $this-Acl-allow($role, 'controllers/Images/manage_add'); $this-Acl-allow($role, 'controllers/Images/manage_index'); $this-Acl-allow($role, 'controllers/Images/manage_edit'); $this-Acl-allow($role, 'controllers/Images/manage_delete'); Thanks Dave --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
ACL question
I am setting up a new app using ACL. I am using Role , user can only have 1 role so User model has: var $hasOne = array( 'Role' = array( 'className' = 'Role', 'foreignKey' = 'user_id', 'dependent' = false, 'conditions' = '', 'fields' = '', 'order' = '' ) ); function parentNode() { if (!$this-id empty($this-data)) { return null; } $data = $this-data; if (empty($this-data)) { $data = $this-read(); } if (!$data['User']['role_id']) { return null; } else { return array('Role' = array('id' = $data['User']['role_id'])); } } but when adding users with different roles ACOS looks wrong: 1, NULL, 'Role', 1, NULL, 1, 10), (2, NULL, 'Role', 2, NULL, 11, 18), (3, NULL, 'Role', 3, NULL, 19, 22), (4, NULL, 'Role', 4, NULL, 23, 24), (5, NULL, 'Role', 5, NULL, 25, 26), (6, 2, 'User', 4, NULL, 16, 17), - foreign key is wrong (7, 1, 'User', 4, NULL, 8, 9); - foreign key is wrong the foreign keys should be differet no? Where did I go wrong here? Dave --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Acl question: Can I change the name of aros and acos tables?
You could make more then one database config item and use them on the required tables? On Jun 25, 2:39 am, brian bally.z...@gmail.com wrote: On Wed, Jun 24, 2009 at 3:09 PM, zoniumzon...@gmail.com wrote: I do use prefix param for some other projects where ACL is NOT utilized. However, my particular concern is about ACL component, I am not sure if ACL component respects $prefix param. (i.e. the sql statements to create aros and acos table do not take prefix into account). Aslo, when we specify $prefix, it will be used for all tables, we cannot different prefixs for different tables. Any insight is appreciated. Zonium You need to use more than one prefix? That might be a problem. Maybe you can change the prefix on the fly (never tried that). --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Acl question: Can I change the name of aros and acos tables?
On Jun 25, 2:39 am, brian bally.z...@gmail.com wrote: On Wed, Jun 24, 2009 at 3:09 PM, zoniumzon...@gmail.com wrote: I do use prefix param for some other projects where ACL is NOT utilized. However, my particular concern is about ACL component, I am not sure if ACL component respects $prefix param. (i.e. the sql statements to create aros and acos table do not take prefix into account). Aslo, when we specify $prefix, it will be used for all tables, we cannot different prefixs for different tables. Any insight is appreciated. When you tried applying a prefix to your default db config - in what way did it not work. AD --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Acl question: Can I change the name of aros and acos tables?
On Thu, Jun 25, 2009 at 5:13 AM, Waltherwaltherl...@gmail.com wrote: You could make more then one database config item and use them on the required tables? Good point. I tend to think of the DB configs as being for a specific database. Of course, there's nothing stopping you from using the same DB but with separate prefixes. Except that it's just occurred to me that there's still an issue with associations--if there are associated tables with different prefixes then joins would be a problem. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Acl question: Can I change the name of aros and acos tables?
On Tue, Jun 23, 2009 at 11:25 PM, zoniumzon...@gmail.com wrote: We are forced to follow some naming conventions for our tables (some prefix needs to be added to the table names). I am going to use ACL component, but I wonder if I can use different names for aros, acos and acos_aros tables (e.g adding a prefix)? I've never used it myself, but there's a 'prefix' param in database.php. I believe that's all you need to set. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Acl question: Can I change the name of aros and acos tables?
I do use prefix param for some other projects where ACL is NOT utilized. However, my particular concern is about ACL component, I am not sure if ACL component respects $prefix param. (i.e. the sql statements to create aros and acos table do not take prefix into account). Aslo, when we specify $prefix, it will be used for all tables, we cannot different prefixs for different tables. Any insight is appreciated. Zonium On Jun 24, 8:56 am, brian bally.z...@gmail.com wrote: On Tue, Jun 23, 2009 at 11:25 PM, zoniumzon...@gmail.com wrote: We are forced to follow some naming conventions for our tables (some prefix needs to be added to the table names). I am going to use ACL component, but I wonder if I can use different names for aros, acos and acos_aros tables (e.g adding a prefix)? I've never used it myself, but there's a 'prefix' param in database.php. I believe that's all you need to set. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Acl question: Can I change the name of aros and acos tables?
On Wed, Jun 24, 2009 at 3:09 PM, zoniumzon...@gmail.com wrote: I do use prefix param for some other projects where ACL is NOT utilized. However, my particular concern is about ACL component, I am not sure if ACL component respects $prefix param. (i.e. the sql statements to create aros and acos table do not take prefix into account). Aslo, when we specify $prefix, it will be used for all tables, we cannot different prefixs for different tables. Any insight is appreciated. Zonium You need to use more than one prefix? That might be a problem. Maybe you can change the prefix on the fly (never tried that). --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Acl question: Can I change the name of aros and acos tables?
We are forced to follow some naming conventions for our tables (some prefix needs to be added to the table names). I am going to use ACL component, but I wonder if I can use different names for aros, acos and acos_aros tables (e.g adding a prefix)? Thanks, Zonium --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
ACL question (again)
Hi everyone .. I am trying (for the first time) to implement ACL in my app. While I think I have generally understood how to do that, from reading the manual and different tutorials, I still have some basic questions: 1. I will need groups. So far I only have a User-model and was planning to map the groups in the ARO table. When I started to code that, I figured that I am not doing that the right way, but should add a Group-table and then map AROs to Groups and Users. Is that correct? 2. This is just for my interest and is probably obsolete with the 1st question. At the first try I created a user_groups-controller, that had 'var $uses = array('Aro);' in it (I also have an Aro-Model with a validation var), and I accessed the Aro-model the usual way ($this- Aro-save($this-data)). That worked. Then I added the ACL component, what caused the Model not to be processed (no validation took place and even a parse error did not result in a parse error). Why ist that? thanks a lot, harpax --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
ACL Question
I have been reading more into ACL and with help from the Cake Group it is making more sense so I thank you! I have a question I was hoping for some advice on. My idea involves 2 Groups of Users which have no direct access with each other initially. Where say AGENTS belong to a GROUP and INVESTORS belong to another GROUP. Now each member of the AGENTS group can write articles that only members of the INVESTORS GROUP can see. So if JEFF (AGENT) writes a post LAURA (INVESTORS) can see it easy enough to set that up. Now after LAURA (INVESTOR) reads the post by JEFF (AGENT) and likes what it says she wants to allow JEFF to view her INVESTOR profile. Because right now JEFF (AGENT) cannot view any GROUP 2 INVESTOR profile I need to find away that allows an INVESTOR to AGENT interaction based on the INVESTOR allowing the specific AGENT I was thinking something like this function initDB() { $group = $this-User-Group; //Allow admins to everything $group-id = 1; $this-Acl-allow($group, 'controllers'); //allow investors (LAURA) $group-id = 2; $this-Acl-deny($group, 'controllers'); $this-Acl-allow($group, 'controllers/Investors'); // can only view / edit / delete thier own content $this-Acl-allow($group, 'controllers/Agents/view'); // can view all agents posts //allow agents $group-id = 3; $this-Acl-deny($group, 'controllers'); $this-Acl-allow($group, 'controllers/Investors/view); //so they do have access to view rights but i need a way to block them until an Investor allows $this-Acl-allow($group, 'controllers/Agents'); // can only view / edit / delete thier own content } Does anyone know a good way to set this up? Ideas suggestions? thanks again Dave --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Another Auth and ACL question
I just finished setting up the AUTH and ACL as in the cookbook. Now when I log in as any user from different groups I can access every page on the site but I get this : [Config] = Array ( [userAgent] = 8edf52fc0bebeb96d0f1c90b95f1a465 [time] = 1235718036 [rand] = 664576016 [timeout] = 10 ) [Message] = Array ( [auth] = Array ( [message] = You are not authorized to access that location. [layout] = default [params] = Array ( ) ) ) I copied the examples exactly, the ACOS AROS ACOS_AROS tables contain the data. Is there a this-Auth = something or some code i need to add tothe controllers to check that only the owner can access the page and not everyone in a group? Dave --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
ACL question regarding Acl example
Hi, I just started using cakePHP, im almost done reading through the documents, but I was wondering something, I was reading the example for the ACL controlled application, and on one part it says Our controllers and models are now prepped for adding some initial data, and our Group and User models are bound to the Acl table. So add some groups and users using the baked forms. I made the following groups: what baked forms is this referring to? and when inserting users, if I made a registration function in the users controller, and made a form to insert a user into the database would it automatically update everything for acl to work properly? Thanks. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: ACL question regarding Acl example
For baked forms it means the forms autogenerated by bake. If you haven't used bake yet, it's a command line utilities that let you auto- generate basic models, controllers and views, starting from your db structure. You can find more informations on the documentation. The basic class created by bake with allow you to perform the basics Create, Read, Update and Delete operation for all your entities, including Users and Groups. The link bettween this entities and ACL is not automatic bt it requires the implementation of some code in both the User and Group model. You should find all the info in the tutorial. I hope this few info can help you, unfortunately I'm at work and I'm not able to check the docs and give you more details. Andrea --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
ACL Question based on ACL example in cookbook (1.2)
Hi guys, I'm building an application and want to controll access levels with ACL. I've setup the controllers and database by following the simple ACL application tutorial in the manual. While the example in the manual uses 2 tables: 'groups' (hasmany) 'users', which makes the implementation fairly straightforward, in my situation, i'm using 3 tables: 'usergroups' (hasmany) 'companies' (hasmany) 'users'. Can you explain to me how to implement the authentication for this situation. The ACL documentation in the manual is not enough to make me understand the concept. Thanks, Symen --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: ACL Question based on ACL example in cookbook (1.2)
Not sure I follow, does the usergroups table not join the users and groups? I have my ACL set up with the following HABTM: // Link to jobs var $hasAndBelongsToMany = array( 'Slot' = array( 'className' = 'Slot', 'joinTable' = 'user_slots', 'foreignKey'= 'user_id', 'associationForeignKey' = 'slot_id', 'conditions'= '', 'order' = '', 'limit' = '', 'unique'= true, 'finderQuery' = '', 'deleteQuery' = '', 'insertQuery' = '' ), 'Group' = array( 'className' = 'Group', 'joinTable' = 'user_groups', 'foreignKey'= 'user_id', 'associationForeignKey' = 'group_id', 'conditions'= '', 'order' = '', 'limit' = '', 'unique'= true, 'finderQuery' = '', 'deleteQuery' = '', 'insertQuery' = '' ) ); With users HABTM groups, and slots. What is it you need to do that isn't clear from the cookbook? On Dec 5, 6:28 am, SymenTimmermans [EMAIL PROTECTED] wrote: Hi guys, I'm building an application and want to controll access levels with ACL. I've setup the controllers and database by following the simple ACL application tutorial in the manual. While the example in the manual uses 2 tables: 'groups' (hasmany) 'users', which makes the implementation fairly straightforward, in my situation, i'm using 3 tables: 'usergroups' (hasmany) 'companies' (hasmany) 'users'. Can you explain to me how to implement the authentication for this situation. The ACL documentation in the manual is not enough to make me understand the concept. Thanks, Symen --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: ACL Question based on ACL example in cookbook (1.2)
The first step you should do is to write out an example of what you want your ARO tree to look like. I think it will then be easier for someone to help you out. For example, I often have a tree that looks like the following: Superusers Users --Staff John Kramer Alex Wylde Managers --Ozzy --Jimmy What do you want your's to look like? -Aran On Dec 5, 9:24 am, Rob [EMAIL PROTECTED] wrote: Not sure I follow, does the usergroups table not join the users and groups? I have my ACL set up with the following HABTM: // Link to jobs var $hasAndBelongsToMany = array( 'Slot' = array( 'className' = 'Slot', 'joinTable' = 'user_slots', 'foreignKey' = 'user_id', 'associationForeignKey' = 'slot_id', 'conditions' = '', 'order' = '', 'limit' = '', 'unique' = true, 'finderQuery' = '', 'deleteQuery' = '', 'insertQuery' = '' ), 'Group' = array( 'className' = 'Group', 'joinTable' = 'user_groups', 'foreignKey' = 'user_id', 'associationForeignKey' = 'group_id', 'conditions' = '', 'order' = '', 'limit' = '', 'unique' = true, 'finderQuery' = '', 'deleteQuery' = '', 'insertQuery' = '' ) ); With users HABTM groups, and slots. What is it you need to do that isn't clear from the cookbook? On Dec 5, 6:28 am, SymenTimmermans [EMAIL PROTECTED] wrote: Hi guys, I'm building an application and want to controll access levels with ACL. I've setup the controllers and database by following the simple ACL application tutorial in the manual. While the example in the manual uses 2 tables: 'groups' (hasmany) 'users', which makes the implementation fairly straightforward, in my situation, i'm using 3 tables: 'usergroups' (hasmany) 'companies' (hasmany) 'users'. Can you explain to me how to implement the authentication for this situation. The ACL documentation in the manual is not enough to make me understand the concept. Thanks, Symen --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: General ACL Question
Aran, then my apologies to you as well. The internet is a terrible place to decipher intonation. Its easy to misconstrue a question as complaining, and it doesn't help that I've been asked that question 10+ times. I think that only in complicated systems should row level permissions be implemented at an ACL level. There is alot of overhead in using the DB ACL and it complicated not only application design but application development. So if you can avoid row level ACL you should. -Mark On Nov 20, 3:40 pm, aranworld [EMAIL PROTECTED] wrote: Sorry for writing something that looked like griping! I was absolutely NOT complaining about how the Auth Component works -- even though a year ago, I did once make this complaint. On the other hand, it is nice to have such a nicely worded explanation of why this feature is not in the core code. I am in agreement with the idea that it is generally not necessary to use the ACL Component to protect items at a record level. Usually just using an author_id field will be enough. -Aran On Nov 20, 6:18 am, mark_story [EMAIL PROTECTED] wrote: On Nov 20, 4:23 am, eMarcus [EMAIL PROTECTED] wrote: Hi Mark, Thanks for your answer! When you follow the conversation right from the beginning, you will see, that I definitly KNOW that controller/actions/id access does not help me and that I therefore want to use your proposed schema of models/records to protect my content. My apologies for the rant then, just I've heard that gripe so many times, I've gotten quite tired of it. However, what confused me as a beginner was, that in all the official documentation there where only examples of the easy way. The reason for this is that many people find the concept of ACL complicated enough without further muddying the issue with row level permissions and multiple checks across multiple branches of the aco tree. My intention was to ask for the best practice for providing access on a model/record level. I already implemented the ACO tree as you proposed (I have a models hive where all records get its entry). As Mark explained, I have to do the permission check manually. Fine, I can do this using $this-Acl-check() Doing this in the controller would work, but seems to be quite complicate as I do combined queries from different models. So I get a result of : result = array ( [model0] = array ( [field0] = value, [field1] = value, ...), [model2] = array (...) [model3] = array (...) ) now, if the user has i.e. read permissions for model2 but not for model0 and model3, how would I do that? Check manually all entries and delete the ones he does not have permissons on? Yes if you want a complicated CRUD perm system then you will need to do checks on all the records you wish to display / edit and then filter the records going out to the view. Complicated permission systems can be complicated. However, you should be able to abstract most of the work into a component I would think. In the past when I've had owner/non-owner based permissions I would just make model methods to check if the owner of a record was correct and then allow/deny based on that. But if your requirements are more complicated, you will need a more complicated system. Is there a Best Practice how to deal with that? My thoughts would be try to abstract all of this row permission checking logic into a component that will make the rest of development easier. Something like SuperAcl-checkRows($dataRows, $userData) or SuperAcl-checkRow($row, $userData) As long as you set some sort of convention it should work well. -Mark Thanks, bye me. On Nov 20, 5:28 am, mark_story [EMAIL PROTECTED] wrote: This can be done with the ACL but you need to do the check manually. It may seem like a good idea to have an ACL tree that looks like controller/action/id but that is setting yourself up for an epic fail. If you ever need to add an action you need to copy all the record nodes and set new perms. If you make a record in a controller with 10 actions, you now need 10 records. It gets insane very quickly. Some quick math also shows this is the wrong approach. 150 records x 8 actions x 10 controllers = 12000 ACO elements. This is a very conservative estimate, as most applications have far greater amounts of data than. A further indication of a wrong approach is that this system and any proposed changes to the AuthComponent fall short under the following circumstances: * when an action needs to edit more than one row * when an action needs to display more than one row * when an action needs to work on a record and its related records. There are probably more that I didn't think of but in all cases controller/action/id is a recipe for disaster. A better approach
Re: General ACL Question
Mark, Aran, Is there a way to access the Acl component from within a model? Models don't have a $uses attribute, do they? Can I somehow else access the Acl component in a model (ie. creating an instance with new() ? The beforeSave() callback method would be a perfect place to check if a user would have an UPDATE right for a specific record bye me. On Nov 21, 3:46 pm, mark_story [EMAIL PROTECTED] wrote: Aran, then my apologies to you as well. The internet is a terrible place to decipher intonation. Its easy to misconstrue a question as complaining, and it doesn't help that I've been asked that question 10+ times. I think that only in complicated systems should row level permissions be implemented at an ACL level. There is alot of overhead in using the DB ACL and it complicated not only application design but application development. So if you can avoid row level ACL you should. -Mark On Nov 20, 3:40 pm, aranworld [EMAIL PROTECTED] wrote: Sorry for writing something that looked like griping! I was absolutely NOT complaining about how the Auth Component works -- even though a year ago, I did once make this complaint. On the other hand, it is nice to have such a nicely worded explanation of why this feature is not in the core code. I am in agreement with the idea that it is generally not necessary to use the ACL Component to protect items at a record level. Usually just using an author_id field will be enough. -Aran On Nov 20, 6:18 am, mark_story [EMAIL PROTECTED] wrote: On Nov 20, 4:23 am, eMarcus [EMAIL PROTECTED] wrote: Hi Mark, Thanks for your answer! When you follow the conversation right from the beginning, you will see, that I definitly KNOW that controller/actions/id access does not help me and that I therefore want to use your proposed schema of models/records to protect my content. My apologies for the rant then, just I've heard that gripe so many times, I've gotten quite tired of it. However, what confused me as a beginner was, that in all the official documentation there where only examples of the easy way. The reason for this is that many people find the concept of ACL complicated enough without further muddying the issue with row level permissions and multiple checks across multiple branches of the aco tree. My intention was to ask for the best practice for providing access on a model/record level. I already implemented the ACO tree as you proposed (I have a models hive where all records get its entry). As Mark explained, I have to do the permission check manually. Fine, I can do this using $this-Acl-check() Doing this in the controller would work, but seems to be quite complicate as I do combined queries from different models. So I get a result of : result = array ( [model0] = array ( [field0] = value, [field1] = value, ...), [model2] = array (...) [model3] = array (...) ) now, if the user has i.e. read permissions for model2 but not for model0 and model3, how would I do that? Check manually all entries and delete the ones he does not have permissons on? Yes if you want a complicated CRUD perm system then you will need to do checks on all the records you wish to display / edit and then filter the records going out to the view. Complicated permission systems can be complicated. However, you should be able to abstract most of the work into a component I would think. In the past when I've had owner/non-owner based permissions I would just make model methods to check if the owner of a record was correct and then allow/deny based on that. But if your requirements are more complicated, you will need a more complicated system. Is there a Best Practice how to deal with that? My thoughts would be try to abstract all of this row permission checking logic into a component that will make the rest of development easier. Something like SuperAcl-checkRows($dataRows, $userData) or SuperAcl-checkRow($row, $userData) As long as you set some sort of convention it should work well. -Mark Thanks, bye me. On Nov 20, 5:28 am, mark_story [EMAIL PROTECTED] wrote: This can be done with the ACL but you need to do the check manually. It may seem like a good idea to have an ACL tree that looks like controller/action/id but that is setting yourself up for an epic fail. If you ever need to add an action you need to copy all the record nodes and set new perms. If you make a record in a controller with 10 actions, you now need 10 records. It gets insane very quickly. Some quick math also shows this is the wrong approach. 150 records x 8 actions x 10 controllers = 12000 ACO elements. This is a very conservative estimate, as most applications have far greater amounts
Re: General ACL Question
Hi Mark, Thanks for your answer! When you follow the conversation right from the beginning, you will see, that I definitly KNOW that controller/actions/id access does not help me and that I therefore want to use your proposed schema of models/records to protect my content. However, what confused me as a beginner was, that in all the official documentation there where only examples of the easy way. My intention was to ask for the best practice for providing access on a model/record level. I already implemented the ACO tree as you proposed (I have a models hive where all records get its entry). As Mark explained, I have to do the permission check manually. Fine, I can do this using $this-Acl-check() Doing this in the controller would work, but seems to be quite complicate as I do combined queries from different models. So I get a result of : result = array ( [model0] = array ( [field0] = value, [field1] = value, ...), [model2] = array (...) [model3] = array (...) ) now, if the user has i.e. read permissions for model2 but not for model0 and model3, how would I do that? Check manually all entries and delete the ones he does not have permissons on? Is there a Best Practice how to deal with that? Thanks, bye me. On Nov 20, 5:28 am, mark_story [EMAIL PROTECTED] wrote: This can be done with the ACL but you need to do the check manually. It may seem like a good idea to have an ACL tree that looks like controller/action/id but that is setting yourself up for an epic fail. If you ever need to add an action you need to copy all the record nodes and set new perms. If you make a record in a controller with 10 actions, you now need 10 records. It gets insane very quickly. Some quick math also shows this is the wrong approach. 150 records x 8 actions x 10 controllers = 12000 ACO elements. This is a very conservative estimate, as most applications have far greater amounts of data than. A further indication of a wrong approach is that this system and any proposed changes to the AuthComponent fall short under the following circumstances: * when an action needs to edit more than one row * when an action needs to display more than one row * when an action needs to work on a record and its related records. There are probably more that I didn't think of but in all cases controller/action/id is a recipe for disaster. A better approach in my opinion is to keep your controller/action perms separate from your model record permissions, and do the check manually. If you application is sophisticated enough to require these advanced permission settings, it can stomach a few extra method calls. I would use a tree like app -- controllers posts -- index -- add -- edit comments --- index --- edit --- view -- models post -- 1 -- 2 comment --- 1 --- 2 and so on. Another option is to use the idea of 'roles' for all your access control and assign permissions with those. Sorry if I ranted a bit there, but I'm tired of people belly aching that controller/action/id doesn't work when it is obviously the totally wrong solution for the problem. And anyone who thinks it is a great idea should go for it, and report back in a year or so after their app runs into scaling issues because the ACL is ridiculously complicated and impossible to deal with. -Mark On Nov 19, 9:55 am, eMarcus [EMAIL PROTECTED] wrote: Hi, I want to use the ACL component to control access of users to model data. I built up AROs, ACOs and permissions so far. 1.) does the ACL component automatically check if a user has an UPDATE right on save operations? 2.) if not, where would be the best place to perform that check? (in a callback function in the model itself, in the controller?) Thanks, bye me. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: General ACL Question
On Nov 20, 4:23 am, eMarcus [EMAIL PROTECTED] wrote: Hi Mark, Thanks for your answer! When you follow the conversation right from the beginning, you will see, that I definitly KNOW that controller/actions/id access does not help me and that I therefore want to use your proposed schema of models/records to protect my content. My apologies for the rant then, just I've heard that gripe so many times, I've gotten quite tired of it. However, what confused me as a beginner was, that in all the official documentation there where only examples of the easy way. The reason for this is that many people find the concept of ACL complicated enough without further muddying the issue with row level permissions and multiple checks across multiple branches of the aco tree. My intention was to ask for the best practice for providing access on a model/record level. I already implemented the ACO tree as you proposed (I have a models hive where all records get its entry). As Mark explained, I have to do the permission check manually. Fine, I can do this using $this-Acl-check() Doing this in the controller would work, but seems to be quite complicate as I do combined queries from different models. So I get a result of : result = array ( [model0] = array ( [field0] = value, [field1] = value, ...), [model2] = array (...) [model3] = array (...) ) now, if the user has i.e. read permissions for model2 but not for model0 and model3, how would I do that? Check manually all entries and delete the ones he does not have permissons on? Yes if you want a complicated CRUD perm system then you will need to do checks on all the records you wish to display / edit and then filter the records going out to the view. Complicated permission systems can be complicated. However, you should be able to abstract most of the work into a component I would think. In the past when I've had owner/non-owner based permissions I would just make model methods to check if the owner of a record was correct and then allow/deny based on that. But if your requirements are more complicated, you will need a more complicated system. Is there a Best Practice how to deal with that? My thoughts would be try to abstract all of this row permission checking logic into a component that will make the rest of development easier. Something like SuperAcl-checkRows($dataRows, $userData) or SuperAcl-checkRow($row, $userData) As long as you set some sort of convention it should work well. -Mark Thanks, bye me. On Nov 20, 5:28 am, mark_story [EMAIL PROTECTED] wrote: This can be done with the ACL but you need to do the check manually. It may seem like a good idea to have an ACL tree that looks like controller/action/id but that is setting yourself up for an epic fail. If you ever need to add an action you need to copy all the record nodes and set new perms. If you make a record in a controller with 10 actions, you now need 10 records. It gets insane very quickly. Some quick math also shows this is the wrong approach. 150 records x 8 actions x 10 controllers = 12000 ACO elements. This is a very conservative estimate, as most applications have far greater amounts of data than. A further indication of a wrong approach is that this system and any proposed changes to the AuthComponent fall short under the following circumstances: * when an action needs to edit more than one row * when an action needs to display more than one row * when an action needs to work on a record and its related records. There are probably more that I didn't think of but in all cases controller/action/id is a recipe for disaster. A better approach in my opinion is to keep your controller/action perms separate from your model record permissions, and do the check manually. If you application is sophisticated enough to require these advanced permission settings, it can stomach a few extra method calls. I would use a tree like app -- controllers posts -- index -- add -- edit comments --- index --- edit --- view -- models post -- 1 -- 2 comment --- 1 --- 2 and so on. Another option is to use the idea of 'roles' for all your access control and assign permissions with those. Sorry if I ranted a bit there, but I'm tired of people belly aching that controller/action/id doesn't work when it is obviously the totally wrong solution for the problem. And anyone who thinks it is a great idea should go for it, and report back in a year or so after their app runs into scaling issues because the ACL is ridiculously complicated and impossible to deal with. -Mark On Nov 19, 9:55 am, eMarcus [EMAIL PROTECTED] wrote: Hi, I want to use the ACL component to control access of users to model data. I built up AROs, ACOs and permissions so far. 1.) does the ACL
Re: General ACL Question
Sorry for writing something that looked like griping! I was absolutely NOT complaining about how the Auth Component works -- even though a year ago, I did once make this complaint. On the other hand, it is nice to have such a nicely worded explanation of why this feature is not in the core code. I am in agreement with the idea that it is generally not necessary to use the ACL Component to protect items at a record level. Usually just using an author_id field will be enough. -Aran On Nov 20, 6:18 am, mark_story [EMAIL PROTECTED] wrote: On Nov 20, 4:23 am, eMarcus [EMAIL PROTECTED] wrote: Hi Mark, Thanks for your answer! When you follow the conversation right from the beginning, you will see, that I definitly KNOW that controller/actions/id access does not help me and that I therefore want to use your proposed schema of models/records to protect my content. My apologies for the rant then, just I've heard that gripe so many times, I've gotten quite tired of it. However, what confused me as a beginner was, that in all the official documentation there where only examples of the easy way. The reason for this is that many people find the concept of ACL complicated enough without further muddying the issue with row level permissions and multiple checks across multiple branches of the aco tree. My intention was to ask for the best practice for providing access on a model/record level. I already implemented the ACO tree as you proposed (I have a models hive where all records get its entry). As Mark explained, I have to do the permission check manually. Fine, I can do this using $this-Acl-check() Doing this in the controller would work, but seems to be quite complicate as I do combined queries from different models. So I get a result of : result = array ( [model0] = array ( [field0] = value, [field1] = value, ...), [model2] = array (...) [model3] = array (...) ) now, if the user has i.e. read permissions for model2 but not for model0 and model3, how would I do that? Check manually all entries and delete the ones he does not have permissons on? Yes if you want a complicated CRUD perm system then you will need to do checks on all the records you wish to display / edit and then filter the records going out to the view. Complicated permission systems can be complicated. However, you should be able to abstract most of the work into a component I would think. In the past when I've had owner/non-owner based permissions I would just make model methods to check if the owner of a record was correct and then allow/deny based on that. But if your requirements are more complicated, you will need a more complicated system. Is there a Best Practice how to deal with that? My thoughts would be try to abstract all of this row permission checking logic into a component that will make the rest of development easier. Something like SuperAcl-checkRows($dataRows, $userData) or SuperAcl-checkRow($row, $userData) As long as you set some sort of convention it should work well. -Mark Thanks, bye me. On Nov 20, 5:28 am, mark_story [EMAIL PROTECTED] wrote: This can be done with the ACL but you need to do the check manually. It may seem like a good idea to have an ACL tree that looks like controller/action/id but that is setting yourself up for an epic fail. If you ever need to add an action you need to copy all the record nodes and set new perms. If you make a record in a controller with 10 actions, you now need 10 records. It gets insane very quickly. Some quick math also shows this is the wrong approach. 150 records x 8 actions x 10 controllers = 12000 ACO elements. This is a very conservative estimate, as most applications have far greater amounts of data than. A further indication of a wrong approach is that this system and any proposed changes to the AuthComponent fall short under the following circumstances: * when an action needs to edit more than one row * when an action needs to display more than one row * when an action needs to work on a record and its related records. There are probably more that I didn't think of but in all cases controller/action/id is a recipe for disaster. A better approach in my opinion is to keep your controller/action perms separate from your model record permissions, and do the check manually. If you application is sophisticated enough to require these advanced permission settings, it can stomach a few extra method calls. I would use a tree like app -- controllers posts -- index -- add -- edit comments --- index --- edit --- view -- models post -- 1 -- 2 comment --- 1 --- 2 and so on. Another option is to use the idea of 'roles' for all your access control and
General ACL Question
Hi, I want to use the ACL component to control access of users to model data. I built up AROs, ACOs and permissions so far. 1.) does the ACL component automatically check if a user has an UPDATE right on save operations? 2.) if not, where would be the best place to perform that check? (in a callback function in the model itself, in the controller?) Thanks, bye me. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
AW: General ACL Question
Hi Marcus, As I just found out yesterday mayself: I guess you have to map your actions to the CRUD model like: $this-Auth-mapActions(array('update'= array('edit','editFoo','myupdatesomething'))); That is, when you plan on also using Auth Anja -Ursprüngliche Nachricht- Von: cake-php@googlegroups.com [mailto:[EMAIL PROTECTED] Im Auftrag von eMarcus Gesendet: Mittwoch, 19. November 2008 15:55 An: CakePHP Betreff: General ACL Question Hi, I want to use the ACL component to control access of users to model data. I built up AROs, ACOs and permissions so far. 1.) does the ACL component automatically check if a user has an UPDATE right on save operations? 2.) if not, where would be the best place to perform that check? (in a callback function in the model itself, in the controller?) Thanks, bye me. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: General ACL Question
Hi Anja, Thanks for your reply. I will in vestigate in that! What confuses me a little bit: When I want my security to be based on controller action access, I can easily create ACOs named after the controller actions and configure access in the aro_aco table. Any unallowed access causes the Auth / ACL component to protect the actions. When I want security to be model based, and I create ACOs based on my models - including the modelname and foreign key, an aro_aco entry does not do protect anything. I can use the $this-Acl-check() method to find out if a user is allowed to access a certain record, but I wonder why that isn't done automatically? or why I can't place that check() method in a callback function of the model (where it would belong to). Did I miss something here? All the Acl examples in the docs just refer to a controller/action based ACL. Is there an example available that works with ACL based directly on records? Thanks, bye me. On Nov 19, 5:04 pm, Liebermann, Anja Carolin [EMAIL PROTECTED] wrote: Hi Marcus,# - E.I.? E.I. OH (2004) TV episode Vanessa Brooks # Identity Theft: The Michelle Brown Story (2004) (TV) Michelle Brown ... aka Identity Theft (UK) ... aka Ma vie volée (Canada: French title) # Lucky 7 (2003) (TV) Amy Myer ... aka Lucky Seven (USA: DVD title) # The Christmas Shoes (2002) (TV) (as Kimberly Williams) Maggie Andrews ... aka Souliers de Noël, Les (Canada: French title) As I just found out yesterday mayself: I guess you have to map your actions to the CRUD model like: $this-Auth-mapActions(array('update'= array('edit','editFoo','myupdatesomething'))); That is, when you plan on also using Auth Anja -Ursprüngliche Nachricht- Von: cake-php@googlegroups.com [mailto:[EMAIL PROTECTED] Im Auftrag von eMarcus Gesendet: Mittwoch, 19. November 2008 15:55 An: CakePHP Betreff: General ACL Question Hi, I want to use the ACL component to control access of users to model data. I built up AROs, ACOs and permissions so far. 1.) does the ACL component automatically check if a user has an UPDATE right on save operations? 2.) if not, where would be the best place to perform that check? (in a callback function in the model itself, in the controller?) Thanks, bye me. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: General ACL Question
The problem lies with the Auth Component. When parsing a URL to determine if a user has access to a resource, the Auth Component does not factor in the id (or any other passed parameter). This means that you cannot use the Auth Component to automatically protect content on a record level basis ... even though the ACL Component DOES allow you to protect content on a record level. You are correct that the only way to do this is to come up with your own method of checking access from within the Controller itself. -Aran There has been a long standing enhancement ticket in trac related to this issue. On Nov 19, 11:29 am, eMarcus [EMAIL PROTECTED] wrote: Hi Anja, Thanks for your reply. I will in vestigate in that! What confuses me a little bit: When I want my security to be based on controller action access, I can easily create ACOs named after the controller actions and configure access in the aro_aco table. Any unallowed access causes the Auth / ACL component to protect the actions. When I want security to be model based, and I create ACOs based on my models - including the modelname and foreign key, an aro_aco entry does not do protect anything. I can use the $this-Acl-check() method to find out if a user is allowed to access a certain record, but I wonder why that isn't done automatically? or why I can't place that check() method in a callback function of the model (where it would belong to). Did I miss something here? All the Acl examples in the docs just refer to a controller/action based ACL. Is there an example available that works with ACL based directly on records? Thanks, bye me. On Nov 19, 5:04 pm, Liebermann, Anja Carolin [EMAIL PROTECTED] wrote: Hi Marcus,# - E.I.? E.I. OH (2004) TV episode Vanessa Brooks # Identity Theft: The Michelle Brown Story (2004) (TV) Michelle Brown ... aka Identity Theft (UK) ... aka Ma vie volée (Canada: French title) # Lucky 7 (2003) (TV) Amy Myer ... aka Lucky Seven (USA: DVD title) # The Christmas Shoes (2002) (TV) (as Kimberly Williams) Maggie Andrews ... aka Souliers de Noël, Les (Canada: French title) As I just found out yesterday mayself: I guess you have to map your actions to the CRUD model like: $this-Auth-mapActions(array('update'= array('edit','editFoo','myupdatesomething'))); That is, when you plan on also using Auth Anja -Ursprüngliche Nachricht- Von: cake-php@googlegroups.com [mailto:[EMAIL PROTECTED] Im Auftrag von eMarcus Gesendet: Mittwoch, 19. November 2008 15:55 An: CakePHP Betreff: General ACL Question Hi, I want to use the ACL component to control access of users to model data. I built up AROs, ACOs and permissions so far. 1.) does the ACL component automatically check if a user has an UPDATE right on save operations? 2.) if not, where would be the best place to perform that check? (in a callback function in the model itself, in the controller?) Thanks, bye me. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: General ACL Question
This can be done with the ACL but you need to do the check manually. It may seem like a good idea to have an ACL tree that looks like controller/action/id but that is setting yourself up for an epic fail. If you ever need to add an action you need to copy all the record nodes and set new perms. If you make a record in a controller with 10 actions, you now need 10 records. It gets insane very quickly. Some quick math also shows this is the wrong approach. 150 records x 8 actions x 10 controllers = 12000 ACO elements. This is a very conservative estimate, as most applications have far greater amounts of data than. A further indication of a wrong approach is that this system and any proposed changes to the AuthComponent fall short under the following circumstances: * when an action needs to edit more than one row * when an action needs to display more than one row * when an action needs to work on a record and its related records. There are probably more that I didn't think of but in all cases controller/action/id is a recipe for disaster. A better approach in my opinion is to keep your controller/action perms separate from your model record permissions, and do the check manually. If you application is sophisticated enough to require these advanced permission settings, it can stomach a few extra method calls. I would use a tree like app -- controllers posts -- index -- add -- edit comments --- index --- edit --- view -- models post -- 1 -- 2 comment --- 1 --- 2 and so on. Another option is to use the idea of 'roles' for all your access control and assign permissions with those. Sorry if I ranted a bit there, but I'm tired of people belly aching that controller/action/id doesn't work when it is obviously the totally wrong solution for the problem. And anyone who thinks it is a great idea should go for it, and report back in a year or so after their app runs into scaling issues because the ACL is ridiculously complicated and impossible to deal with. -Mark On Nov 19, 9:55 am, eMarcus [EMAIL PROTECTED] wrote: Hi, I want to use the ACL component to control access of users to model data. I built up AROs, ACOs and permissions so far. 1.) does the ACL component automatically check if a user has an UPDATE right on save operations? 2.) if not, where would be the best place to perform that check? (in a callback function in the model itself, in the controller?) Thanks, bye me. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: newbie acl question
basically in my layout ctp file, i have a navigation menu. If an Admin user logs in, I want the admin nav menu to appear. Otherwise, do not display the admin nav menu. what is the best way to do this? thanks 1. First, determine if the menu should be displayed. This depends on how you have set up the authentication/authorization system. 2. If so, set adminMenu (or the name you like) to true, else set it to false. You can even pass an array of the elements that conform the menu to the view. 3. In the layout: ?php if ($adminMenu): ? here comes the admin menu, you can make it static (if it fit's your application), render an element containing it, or even make a helper to take care of this. ?php endif; ? In order to keep things ordered and flexible, I would go making 1 and 2 in a component, but you can put them in the beforeFilter() of the AppController. On Wed, Apr 9, 2008 at 4:59 PM, Dardo Sordi Bogado [EMAIL PROTECTED] wrote: Probably, I will check in the AppController::beforeFilter(); or even better make a component. Helpers are meant for the view, not the controller. Given the fact that I haven't read your code, and you haven't explained what are you trying to accomplish I can't give you further assistance. What I've suggested was that in the light of MVC, is better not to make ACL checks in the view, and let the view be a mere representational layer, not including business or application logic in it. Maybe you need to review the MVC pattern, and the relevant cakephp documentation. And in order to help you, you need to provide more details about what are you trying to do and what are your reasons to try to make that way. HTH, Dardo Sordi. On Wed, Apr 9, 2008 at 8:45 PM, . [EMAIL PROTECTED] wrote: what controller would i check in for the layout? or use helper? On Wed, Apr 9, 2008 at 4:14 AM, Dardo Sordi Bogado [EMAIL PROTECTED] wrote: You don't. Check from controller/component and pass the allowed/denied to the view/layout. On Wed, Apr 9, 2008 at 7:19 AM, . [EMAIL PROTECTED] wrote: hi how do you check acl from the View? ie $acl-check(...) in the view, instead of controller. How would I check ACL from my layout? thanks --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: newbie acl question
You don't. Check from controller/component and pass the allowed/denied to the view/layout. On Wed, Apr 9, 2008 at 7:19 AM, . [EMAIL PROTECTED] wrote: hi how do you check acl from the View? ie $acl-check(...) in the view, instead of controller. How would I check ACL from my layout? thanks --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
newbie acl question
hi how do you check acl from the View? ie $acl-check(...) in the view, instead of controller. How would I check ACL from my layout? thanks --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: newbie acl question
what controller would i check in for the layout? or use helper? On Wed, Apr 9, 2008 at 4:14 AM, Dardo Sordi Bogado [EMAIL PROTECTED] wrote: You don't. Check from controller/component and pass the allowed/denied to the view/layout. On Wed, Apr 9, 2008 at 7:19 AM, . [EMAIL PROTECTED] wrote: hi how do you check acl from the View? ie $acl-check(...) in the view, instead of controller. How would I check ACL from my layout? thanks --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: newbie acl question
Probably, I will check in the AppController::beforeFilter(); or even better make a component. Helpers are meant for the view, not the controller. Given the fact that I haven't read your code, and you haven't explained what are you trying to accomplish I can't give you further assistance. What I've suggested was that in the light of MVC, is better not to make ACL checks in the view, and let the view be a mere representational layer, not including business or application logic in it. Maybe you need to review the MVC pattern, and the relevant cakephp documentation. And in order to help you, you need to provide more details about what are you trying to do and what are your reasons to try to make that way. HTH, Dardo Sordi. On Wed, Apr 9, 2008 at 8:45 PM, . [EMAIL PROTECTED] wrote: what controller would i check in for the layout? or use helper? On Wed, Apr 9, 2008 at 4:14 AM, Dardo Sordi Bogado [EMAIL PROTECTED] wrote: You don't. Check from controller/component and pass the allowed/denied to the view/layout. On Wed, Apr 9, 2008 at 7:19 AM, . [EMAIL PROTECTED] wrote: hi how do you check acl from the View? ie $acl-check(...) in the view, instead of controller. How would I check ACL from my layout? thanks --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: newbie acl question
basically in my layout ctp file, i have a navigation menu. If an Admin user logs in, I want the admin nav menu to appear. Otherwise, do not display the admin nav menu. what is the best way to do this? thanks On Wed, Apr 9, 2008 at 4:59 PM, Dardo Sordi Bogado [EMAIL PROTECTED] wrote: Probably, I will check in the AppController::beforeFilter(); or even better make a component. Helpers are meant for the view, not the controller. Given the fact that I haven't read your code, and you haven't explained what are you trying to accomplish I can't give you further assistance. What I've suggested was that in the light of MVC, is better not to make ACL checks in the view, and let the view be a mere representational layer, not including business or application logic in it. Maybe you need to review the MVC pattern, and the relevant cakephp documentation. And in order to help you, you need to provide more details about what are you trying to do and what are your reasons to try to make that way. HTH, Dardo Sordi. On Wed, Apr 9, 2008 at 8:45 PM, . [EMAIL PROTECTED] wrote: what controller would i check in for the layout? or use helper? On Wed, Apr 9, 2008 at 4:14 AM, Dardo Sordi Bogado [EMAIL PROTECTED] wrote: You don't. Check from controller/component and pass the allowed/denied to the view/layout. On Wed, Apr 9, 2008 at 7:19 AM, . [EMAIL PROTECTED] wrote: hi how do you check acl from the View? ie $acl-check(...) in the view, instead of controller. How would I check ACL from my layout? thanks --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Yet another Auth and ACL question
it seems to be the correct behavior: - if you're not logged in, it redirectts you to login page - if you're logged, it checks if you're allowed to access to controller: * if yes, ok * if not, it redirects you back and tell you access denied Why do you want to be redirected to login since you're already logged in? It's up to you to add this: if I don't have access to a controller, give the choice to be logged in with another account (like a Linux sudo or Vista UAC). IMHO it's not a very common need. On 1 fév, 07:09, chad [EMAIL PROTECTED] wrote: Braindead - I'm wondering the same thing. Right now, as you said, it just redirects you to the current page. Perhaps an enhancement ticket at trac? On Jan 29, 12:51 pm, Braindead [EMAIL PROTECTED] wrote: That's what I already did. When I'm not logged in and want to enter an access controlled controller, I'm redirected to $loginAction. But how is it possible to be redirected to $loginAction, when I'm already logged in, but not allowed to access a controller? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Yet another Auth and ACL question
I think it is not right to be redirected to the referer page and display the error message on the referer page. This is not what I would expect when I try to access a certan page. At first I wanted to be redirected to the login page, because I though it is the right behavior to give the user the chance to login as another user. Now I changed my mind and hacked the auth.php so that it now splashes the error message to the user (using $controller-flash), waits for 5 seconds and the redirects to the referer page. I think this is the way for me to go. Thanks for you help. Markus On Feb 1, 9:43 am, djiize [EMAIL PROTECTED] wrote: Why do you want to be redirected to login since you're already logged in? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Yet another Auth and ACL question
Braindead - I'm wondering the same thing. Right now, as you said, it just redirects you to the current page. Perhaps an enhancement ticket at trac? On Jan 29, 12:51 pm, Braindead [EMAIL PROTECTED] wrote: That's what I already did. When I'm not logged in and want to enter an access controlled controller, I'm redirected to $loginAction. But how is it possible to be redirected to $loginAction, when I'm already logged in, but not allowed to access a controller? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Yet another Auth and ACL question
Hello group, I'm using Auth and ACL in Cake 1.2. It took quite a long time to get it to work, but now everything is working, except one thing: When I'm logged in and try to access a controller I don't have access to, I'm redirected to the url I came from and get the message that I'm not allowed to access the controller. I would expect to be redirected to the login page and see the error message. Is there a way to achieve this or is this a normal Cake behavior? Happy baking Markus --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Yet another Auth and ACL question
That's what I already did. When I'm not logged in and want to enter an access controlled controller, I'm redirected to $loginAction. But how is it possible to be redirected to $loginAction, when I'm already logged in, but not allowed to access a controller? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Yet another Auth and ACL question
Maybe the Auth $loginAction property is what you're looking for. Set the url of the controller that handles login (As a string or array). Cheers, -- Matias Lespiau http://www.gignus.com/ On Jan 29, 2008 4:10 PM, Braindead [EMAIL PROTECTED] wrote: Hello group, I'm using Auth and ACL in Cake 1.2. It took quite a long time to get it to work, but now everything is working, except one thing: When I'm logged in and try to access a controller I don't have access to, I'm redirected to the url I came from and get the message that I'm not allowed to access the controller. I would expect to be redirected to the login page and see the error message. Is there a way to achieve this or is this a normal Cake behavior? Happy baking Markus --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: ACL question regarding inherited permissions
Thanks a milion, it works now! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
ACL question regarding inherited permissions
My situation is this: I have AROs nested: Admins and as a child of that Subadmins. Admins has acces to a certain ACO but Subadmins is set to deny access to that ACO When I check Subadmins against that ACO it sais that it has access although I set it to deny (checked in the database also, it show -1 on all crud fields) So it is my assumption wrong that individual rights are more powerful than inherited ones? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: ACL question regarding inherited permissions
Not, that is a bug in ACL component, ticket: https://trac.cakephp.org/ticket/3851 , fixed on : https://trac.cakephp.org/changeset/6342 . Update your cake. On Jan 16, 2008 3:11 PM, alex.tomes [EMAIL PROTECTED] wrote: My situation is this: I have AROs nested: Admins and as a child of that Subadmins. Admins has acces to a certain ACO but Subadmins is set to deny access to that ACO When I check Subadmins against that ACO it sais that it has access although I set it to deny (checked in the database also, it show -1 on all crud fields) So it is my assumption wrong that individual rights are more powerful than inherited ones? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: ACL question: ACO-ARO links not being set as expected. Why?
Anyone any ideas? Surely ACL shouldn't be this hard? By the way, I'm using PHP 5 and Cake 1.2. On 31 Aug, 10:44, Paul [EMAIL PROTECTED] wrote: Hi there, I'm getting more and more frustrated withACL, so please someone help me before I drive myself mad! I'm sure once I'm over this last hurdle it'll all fall into place :) If i do this: $this-Acl-deny($aroNode,$acoNode); then all the _read, _update etc. fields in the aros_acos table are set to -1 (or 1 if I'd used allow). So far so good! However, If I have an array of 'actions', like this: $actions = Array('read','update'); And I set permissions like this: $this-Acl-allow($aroNode,$acoNode,$actions); Then _read and _update are set to 1 (as expected), but the rest are set to zero - they are not left as they are (I explicitly do a deny all before I call allow). This doesn't seem right to me - I would've thought 'allowing' a set of permissions would leave the others untouched? Try as I might I can't work out where in the cake source it's doing this setting to zero. However, I have found out that when I do this: $this-Acl-check('create') ...a zero causes it to 'continue' and look further up the hierarchy, towards the parent, and get the permission from there. Myaconodes are in a hierarchy, so this means I can't deny a child access to something a parent has access to! (because if I deny all and then allow the ones I want, then check looks to the parent for the one's I didn't explictly allow) Am I misunderstanding things? Has anyone else had this problem? Thanks in advance, Paul. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
ACL question: ACO-ARO links not being set as expected. Why?
Hi there, I'm getting more and more frustrated with ACL, so please someone help me before I drive myself mad! I'm sure once I'm over this last hurdle it'll all fall into place :) If i do this: $this-Acl-deny($aroNode,$acoNode); then all the _read, _update etc. fields in the aros_acos table are set to -1 (or 1 if I'd used allow). So far so good! However, If I have an array of 'actions', like this: $actions = Array('read','update'); And I set permissions like this: $this-Acl-allow($aroNode,$acoNode,$actions); Then _read and _update are set to 1 (as expected), but the rest are set to zero - they are not left as they are (I explicitly do a deny all before I call allow). This doesn't seem right to me - I would've thought 'allowing' a set of permissions would leave the others untouched? Try as I might I can't work out where in the cake source it's doing this setting to zero. However, I have found out that when I do this: $this-Acl-check('create') ...a zero causes it to 'continue' and look further up the hierarchy, towards the parent, and get the permission from there. My aco nodes are in a hierarchy, so this means I can't deny a child access to something a parent has access to! (because if I deny all and then allow the ones I want, then check looks to the parent for the one's I didn't explictly allow) Am I misunderstanding things? Has anyone else had this problem? Thanks in advance, Paul. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Acl question
Hi Langdon Your code sent me off in the right direction, so thank you for your help. However I had to make substantial changes, because you code did not fit with my user-model (and not with the functions avalible in cake 1.2). Allow me to explain (for general edification): I have a user model where users can belong to a group. Aros for groups are name Group::$group_id and Aros for users are named User::$user_id. Groups and users are two seperate tables in my database. In my aros tree, a user aro always have a group aro as parrent. My acos are named after the model they correspond to. For example the aco named Picture::1 represents operations on picture number 1. By allowing or denying actions on this aco, I allow a user (or group) the right to perform those actions. When I check which Aros a certain user is represented by, I will always get at least two: the user aro and the group aro (plus the parent group aro, if there is one). When I allow and deny a certain aco the user aro, or lowermost aro in the aro tree, is the one that counts. Thus, if a group has read permission and the user has not, the user should be denied access. Thus, we must check the aros-acos permissions in a specific order. This is the function I cam up with. It works because the node() function in acl always returns the tree in the proper order: function _getAllowedIds ($model, $access_type) { //this function returns a comma delimited string of id's that the logged in user has access to in the model given. $aro = new Aro(); // Get the username. It may be better to pass this to the function $user = $this-Session-read('User'); $aroAlias = 'User::'.$user['id']; $aroNode = $this-Acl-Aro-node($aroAlias); $permission = new Permission(); //loop from branches of aro tree to top for ($i = 0; $i count($aroNode) -1; $i++) { $temp[] = $permission-findAllByAro_id($aroNode[$i]['Aro'] ['id']); } $Aco = new Aco(); $acos = array(); // Iterate through the links. The temp array (containing // permission entries) is sorted by aro, and leaves come before // their parrents foreach ($temp as $tempAro) { // Iterate through each Aco attached the the current Aro foreach ($tempAro as $tempLink) { if (preg_match (/^.$model.::\d+$/, $tempLink['Aco']['alias'])) { //the following construction assures that permissions are //taken from the bottoms-most aro in the aro tree. I.e. if a //user belongs to a group, the group has access to a file //but the user does not, the user should not have //access. First time we arrive here, the permission for a //given aco is set to whatever it is for the bottom-most //aro. Second time we arrive the permission is only changed //if permission has not been specified in the first place. if (array_key_exists($tempLink['Aco']['alias'], $acos)) { switch($acos[$tempLink['Aco']['alias']]) { case -1: $acos[$tempLink['Aco']['alias']] = -1; break; case 0: $acos[$tempLink['Aco']['alias']] = $tempLink['Permission']['_'. $access_type]; break; case 1: $acos[$tempLink['Aco']['alias']] = 1; break; } } else { $acos[$tempLink['Aco']['alias']] = $tempLink['Permission']['_'. $access_type]; } } } // the acl model in this application is contructed such that Picture::id (or Text::id etc.) acos do not have children. // this means that there is no reason to find children on the acos in this loop } //extract the id's foreach ($acos as $key = $aco) { if ($aco == 1) { $acos[$key] = preg_replace(/^.$model.::(\d+)/, $1, $aco); } else { unset($acos[$key]); } } //create a comma delimited string of id's $string = implode(,, $acos); return $string; } } When calling this function I get a string of id's which corrensponds to the table entries that a user has x-access to (where x is create, read, update or delete). I hope someone might find this useful. :-) Nina On Aug 16, 1:07 pm, Langdon Stevenson [EMAIL PROTECTED] wrote: Hi Nina snip However, what I'd like is a simple command to find all pictures that a given user has access to. I realize that I can find all pictures and check them one by one. However, this seems expensive to me (one query to get all pictures and then N queries to check the permissions). There must be a simpler way to do it, but to find it requires a deep understanding of howaclwork, and I don't really have that understanding (yet), so I am asking you. Has anyone here encountered a similar problem, and how did you solve it? If not, do you have any ideas on how I might attack this problem? If you have a look at the api forACLyou will find thatACLprovides a number of
Re: Acl question
Duh... I posted to soon, this is the function: function _getAllowedIds ($model, $access_type) { //this function returns a comma delimited string of id's that the logged in user has access to in the model given. $aro = new Aro(); // Get the username. It may be better to pass this to the function $user = $this-Session-read('User'); $aroAlias = 'User::'.$user['id']; $aroNode = $this-Acl-Aro-node($aroAlias); $permission = new Permission(); //loop from branches of aro tree to top for ($i = 0; $i count($aroNode) -1; $i++) { $temp[] = $permission-findAllByAro_id($aroNode[$i]['Aro'] ['id']); } $Aco = new Aco(); $acos = array(); // Iterate through the links. The temp array (containing // permission entries) is sorted by aro, and leaves comes before // their parrents foreach ($temp as $tempAro) { // Iterate through each Aco attached the the current Aro foreach ($tempAro as $tempLink) { if (preg_match (/^.$model.::\d+$/, $tempLink['Aco']['alias'])) { //the following contruction assures that permissions are //taken from the bottoms-most aro in the aro tree. I.e. if a //user belongs to a group, the group has access to a file //but the user does not, the user should not have //access. First time we arrive here, the permission for a //given aco is set to whatever it is for the bottom-most //aro. Second time we arrive the permission is only changed //if permission has not been specified in the first place. if (array_key_exists($tempLink['Aco']['alias'], $acos)) { switch($acos[$tempLink['Aco']['alias']]) { case -1: $acos[$tempLink['Aco']['alias']] = -1; break; case 0: $acos[$tempLink['Aco']['alias']] = $tempLink['Permission']['_'. $access_type]; break; case 1: $acos[$tempLink['Aco']['alias']] = 1; break; } } else { $acos[$tempLink['Aco']['alias']] = $tempLink['Permission']['_'. $access_type]; } } } // the acl model in this application is contructed such that Picture::id (or Text::id etc.) acos do not have children. // this means that there is no reason to find children on the acos in this loop } //extract the id's $acos_out = array(); foreach ($acos as $key = $aco) { if ($aco == 1) { array_push($acos_out,preg_replace(/^.$model.::(\d+)/, $1, $key)); } } //create a comma delimited string of id's $string = implode(,, $acos_out); return $string; } --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Acl question
Hi Nina Glad I could be of some assistance :-) Regards, Langdon Nina wrote: Hi Langdon Your code sent me off in the right direction, so thank you for your help. However I had to make substantial changes, because you code did not fit with my user-model (and not with the functions avalible in cake 1.2). Allow me to explain (for general edification): snip --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Acl question
Hello I would like some advice on how to tackle the following problem: I have a cakephp acl model where I have users and pictures. Users have access to some pictures and not to others. My aro alias is on the form User::$user_id and the aco alias for the picture is on the form Picture::$picture_id. I can always check if a user has access to a given picture by constructing the proper alias and using Acl-check. However, what I'd like is a simple command to find all pictures that a given user has access to. I realize that I can find all pictures and check them one by one. However, this seems expensive to me (one query to get all pictures and then N queries to check the permissions). There must be a simpler way to do it, but to find it requires a deep understanding of how acl work, and I don't really have that understanding (yet), so I am asking you. Has anyone here encountered a similar problem, and how did you solve it? If not, do you have any ideas on how I might attack this problem? :-) Nina --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Acl question
Hi Nina snip However, what I'd like is a simple command to find all pictures that a given user has access to. I realize that I can find all pictures and check them one by one. However, this seems expensive to me (one query to get all pictures and then N queries to check the permissions). There must be a simpler way to do it, but to find it requires a deep understanding of how acl work, and I don't really have that understanding (yet), so I am asking you. Has anyone here encountered a similar problem, and how did you solve it? If not, do you have any ideas on how I might attack this problem? If you have a look at the api for ACL you will find that ACL provides a number of methods that aren't obvious from the documentation. One of them (I don't remember which) takes an ARO id as an argument and returns a tree of ACO objects that the ARO has access to. I think that this should suite your needs. ... I have just tried to work back through the code and extract the key part, but for the life of me I can't find what I am looking for in the api, or the Cake ACL code. I did however discover the following thread that I posted on this subject a while ago: http://groups.google.com/group/cake-php/browse_thread/thread/263d3ffd6fb7533d/94779c7877163bb0 It explains what I did and shows the code that I used. However I can't find the parts of the api that it depends upon. Let me know if you need more explanation. Regards, Langdon --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Cake PHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---