Re: Need advice for custom ACL
On Jan 26, 5:05 pm, Ernesto e.fanz...@gmail.com wrote: HiJohn thx for your response acting that way will bloat my app i have hundreds of possible combinations :\ why not just do something simple based on configuration so e.g. // app controller beforeFilter Configure::write('authtype', 'peon'); in before validate in your models $authtype = Configure::read('authtype'); if ($authtype === 'peon') { $this-validate = $this-validateForPeons; } elseif ($authtype === 'admin') { $this-validate = $this-validateForAdmins; } use a helper to wrap your form/link requirements echo $aHtml-link('admin home', '/admin'); echo $aForm-create(); echo $aForm-inputs(); echo $aForm-end(); // in your a html helper - example to give you an idea, not to copy paste and use function link(...) { if (Configure::read('authtype') !== 'admin')) { - read from your auth rules in some manner return; } return parent::link(...); } // in your a form helper - example to give you an idea, not to copy paste and use function input(...) { if (Configure::read('authtype') === 'peon' $field === 'status')) { - read from your auth rules in some manner return; } return parent::input(...); } Unless your rules change at run time and are user specific - I wouldn't use acl to solve it, unless you use iniacl. hth AD -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Need advice for custom ACL
In that case my honest advice to you is to revise your design. If it's not simple it's should simply not (In Hebrew it sounds better) -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Need advice for custom ACL
the only alternative path i can see is to make hundreds of controllers, each with his own specific model. this will lead to hundreds of controllers. Right now i'm acting this way: - i use the standard Cake ACL to prevent unwanted page views. - i added an Authorization model, with HABTM relationship to User model (and vice-versa) - i added a Vendor class named CheckAuthorizations, loaded in both AppController and AppModel's constructors. This class checks if there's any coincidence between the current logged user and the requested authorization code (authorization_id), by fetching data from Authorizations_Users (the HABTM join model). - Authorization request are done this way: $this-CheckAuthorization-check([AUTHCODE]) or $this-CheckAuthorization-require([AUTHCODE]) Any advice? On 27 Gen, 13:57, Zaky Katalan-Ezra procsh...@gmail.com wrote: In that case my honest advice to you is to revise your design. If it's not simple it's should simply not (In Hebrew it sounds better) -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Need advice for custom ACL
Ernesto: Some things to try: For your first example: ignore some validation rules if the user has authorization X. - validate the data from the controller, using the $options parameter to specify which subset of the validation rules to apply. There is a (albeit simplistic) example in the Cookbook (http://book.cakephp.org/ view/1182/Validating-Data-from-the-Controller), where only a couple of the fields are validated. If you have multiple rules for a field, and you want only some, not all, those rules checked on that field, you can adjust rules array for that field in the Model's beforeValidate() function (or an attached Behavior's beforeValidate()) -- the $optionsparameter of Model::validates() is passed to the Model::beforeValidate(), and only the 'fieldList' key is reserved. Unfortunately, if you have to resort to the beforeValidate(), your permissions logic will not be confined to your controller. - if no errors, call the Model::save() or Model::saveAll(), but set the validate parameter to false to avoid using the model's full validation = For your second example: hide or modify some form fields if user hasn't authorization Y. - in your controller, you can create an array of what authorizations the user has and save that to a view variable. - in your view, use that array to determine whether a form field should be hidden or adjusted. example: foo_controller.php: function edit($id = null) { ... $aro = 'user/' . $this-Auth-user('id'); // Create list of authorizations that user has $authorizations = array(); foreach(array('Bar/Y_1', 'Bar/Y_2', 'Bar/Y_3') as $aco) { if ($this-Acl-check($aro, $aco) { $authorizations[] = $aco; } } $this-set(compact('authorizations')); } foo/edit.ctp: ... if (in_array('Bar/Y_2', $authorizations)) { echo $this-Form-input('fieldX1'); } else { echo $this-Form-hidden('fieldX1'); } if (in_array('Bar/Y_3', $authorizations)) { echo $this-Form-input('fieldX2', array( 'options' = array('1', '2', '3') )); } else { echo $this-Form-input('fieldX2', array( 'options' = array('4', '5', '6') )); } Note that in Cake's built-in ACL, the ACO (Access Control Object) nodes do not have to correspond to controllers or actions. ACO nodes that correspond to actions is just one of the built-in behaviors. You can also define arbitrary ACO nodes. To extend my example above, I can have the following ACO nodes defined: controllers/Foo/add controllers/Foo/edit controllers/Foo/index controllers/Foo/view Bar/Y_1 Bar/Y_2 Bar/Y_3 and in app_controller.php: var $components = array('Auth' = array( 'authorize' = 'actions', 'actionPath' = 'controllers/' )); Note the 'actionPath' AuthComponent variable; any ACO nodes NOT nested under the 'controllers' (or whatever you specify as the actionPath) node are ignored for the purposes of the standard Cake ACL. To check permissions manually for everything else, you can use the check($aro, $aco, $action = '*') function of the AclComponent. There may be some advantages of using Cake's AclComponent in this way instead of your custom CheckAuthorizations class, including: - using existing tables (aros, acos, aros_acos, and not having to add the authorizations and authorizations_users tables) - inheritance. ARO nodes can refer to groups and/or users -- if a UserX is part of GroupA and GroupA has access to AuthB, UserX also has AuthB (unless access to AuthB is explicitly revoked from UserX. And if groups are defined as heirarchical (i.e. TreeBehavior), GroupA can inherit access rights from it's parents and ancestors. The same applies to ACO nodes. In fact, you *could*, in theory, define field- level access in the following manner: ARO: Group 1 (all users) Group 2 (admin) ACO: controllers/Foo/edit controllers/Foo/edit/name controllers/Foo/edit/fieldX1 controllers/Foo/edit/fieldX2 ARO/ACO: // All users can access the edit page for Foo $this-Acl-allow('Group 1', 'controllers/Foo/edit'); // Revoke access to fieldX1 and fieldX2 from the public at large $this-Acl-deny('Group 1', 'controllers/Foo/edit/fieldX1'); $this-Acl-deny('Group 1', 'controllers/Foo/edit/fieldX2'); // Grant access to fieldX1 and fieldX2 to the admins $this-Acl-allow('Group 2', 'controllers/Foo/edit/fieldX1'); $this-Acl-allow('Group 2', 'controllers/Foo/edit/fieldX1'); then adjust the controller and view to accommodate the results of the permission check. - There is
Re: Need advice for custom ACL
Hi ShadowCross. thx for your suggestions. i'll surely try them On 27 Gen, 20:31, ShadowCross adri...@jps.net wrote: Ernesto: Some things to try: For your first example: ignore some validation rules if the user has authorization X. - validate the data from the controller, using the $options parameter to specify which subset of the validation rules to apply. There is a (albeit simplistic) example in the Cookbook (http://book.cakephp.org/ view/1182/Validating-Data-from-the-Controller), where only a couple of the fields are validated. If you have multiple rules for a field, and you want only some, not all, those rules checked on that field, you can adjust rules array for that field in the Model's beforeValidate() function (or an attached Behavior's beforeValidate()) -- the $optionsparameter of Model::validates() is passed to the Model::beforeValidate(), and only the 'fieldList' key is reserved. Unfortunately, if you have to resort to the beforeValidate(), your permissions logic will not be confined to your controller. - if no errors, call the Model::save() or Model::saveAll(), but set the validate parameter to false to avoid using the model's full validation = For your second example: hide or modify some form fields if user hasn't authorization Y. - in your controller, you can create an array of what authorizations the user has and save that to a view variable. - in your view, use that array to determine whether a form field should be hidden or adjusted. example: foo_controller.php: function edit($id = null) { ... $aro = 'user/' . $this-Auth-user('id'); // Create list of authorizations that user has $authorizations = array(); foreach(array('Bar/Y_1', 'Bar/Y_2', 'Bar/Y_3') as $aco) { if ($this-Acl-check($aro, $aco) { $authorizations[] = $aco; } } $this-set(compact('authorizations')); } foo/edit.ctp: ... if (in_array('Bar/Y_2', $authorizations)) { echo $this-Form-input('fieldX1'); } else { echo $this-Form-hidden('fieldX1'); } if (in_array('Bar/Y_3', $authorizations)) { echo $this-Form-input('fieldX2', array( 'options' = array('1', '2', '3') )); } else { echo $this-Form-input('fieldX2', array( 'options' = array('4', '5', '6') )); } Note that in Cake's built-in ACL, the ACO (Access Control Object) nodes do not have to correspond to controllers or actions. ACO nodes that correspond to actions is just one of the built-in behaviors. You can also define arbitrary ACO nodes. To extend my example above, I can have the following ACO nodes defined: controllers/Foo/add controllers/Foo/edit controllers/Foo/index controllers/Foo/view Bar/Y_1 Bar/Y_2 Bar/Y_3 and in app_controller.php: var $components = array('Auth' = array( 'authorize' = 'actions', 'actionPath' = 'controllers/' )); Note the 'actionPath' AuthComponent variable; any ACO nodes NOT nested under the 'controllers' (or whatever you specify as the actionPath) node are ignored for the purposes of the standard Cake ACL. To check permissions manually for everything else, you can use the check($aro, $aco, $action = '*') function of the AclComponent. There may be some advantages of using Cake's AclComponent in this way instead of your custom CheckAuthorizations class, including: - using existing tables (aros, acos, aros_acos, and not having to add the authorizations and authorizations_users tables) - inheritance. ARO nodes can refer to groups and/or users -- if a UserX is part of GroupA and GroupA has access to AuthB, UserX also has AuthB (unless access to AuthB is explicitly revoked from UserX. And if groups are defined as heirarchical (i.e. TreeBehavior), GroupA can inherit access rights from it's parents and ancestors. The same applies to ACO nodes. In fact, you *could*, in theory, define field- level access in the following manner: ARO: Group 1 (all users) Group 2 (admin) ACO: controllers/Foo/edit controllers/Foo/edit/name controllers/Foo/edit/fieldX1 controllers/Foo/edit/fieldX2 ARO/ACO: // All users can access the edit page for Foo $this-Acl-allow('Group 1', 'controllers/Foo/edit'); // Revoke access to fieldX1 and fieldX2 from the public at large $this-Acl-deny('Group 1', 'controllers/Foo/edit/fieldX1'); $this-Acl-deny('Group 1', 'controllers/Foo/edit/fieldX2'); // Grant access to fieldX1 and fieldX2 to the admins
Re: Need advice for custom ACL
hi, in my app i need to (some examples): - ignore some validation rules if the user has authorization X - hide or modify some form fields if user hasn't authorization Y - do the usual ACL things (if you're a Customer you can't modify users and so on) not all of those authorizations are referred to a specific controller's action so cake's built-in ACL isn't very useful. in your opinion, what's the best way to implement this? Not tried this, but could you: 1. Have multiple views per auth type, stops you needing to hide/show form fields 2. Have multiple Models that connect to the same table, each with a different set of validation rules 3. Use the correct model above in your controller and views ... which would mean your ACL logic stays in the controller. Might work, Cheers, Jon -- jon bennett - www.jben.net - blog.jben.net -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Need advice for custom ACL
HiJohn thx for your response acting that way will bloat my app i have hundreds of possible combinations :\ On 26 Gen, 15:05, Jon Bennett jmbenn...@gmail.com wrote: hi, in my app i need to (some examples): - ignore some validation rules if the user has authorization X - hide or modify some form fields if user hasn't authorization Y - do the usual ACL things (if you're a Customer you can't modify users and so on) not all of those authorizations are referred to a specific controller's action so cake's built-in ACL isn't very useful. in your opinion, what's the best way to implement this? Not tried this, but could you: 1. Have multiple views per auth type, stops you needing to hide/show form fields 2. Have multiple Models that connect to the same table, each with a different set of validation rules 3. Use the correct model above in your controller and views ... which would mean your ACL logic stays in the controller. Might work, Cheers, Jon -- jon bennett -www.jben.net- blog.jben.net -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Need advice for custom ACL
HiJohn thx for your response acting that way will bloat my app i have hundreds of possible combinations :\ Not sure what else to suggest, interested to hear if/how you solve it! -- jon bennett - www.jben.net - blog.jben.net -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Need advice for custom ACL
not all of those authorizations are referred to a specific controller's action so cake's built-in ACL isn't very useful. Then what they refer to? It looks like you need to create an engine to create your views on the fly. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Need advice for custom ACL
They don't refer to anything particular. Look @ my example in first post On 26 Gen, 18:40, Zaky Katalan-Ezra procsh...@gmail.com wrote: not all of those authorizations are referred to a specific controller's action so cake's built-in ACL isn't very useful. Then what they refer to? It looks like you need to create an engine to create your views on the fly. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php