Re: Need advice for custom ACL
On Jan 26, 5:05 pm, Ernesto e.fanz...@gmail.com wrote:
HiJohn thx for your response
acting that way will bloat my app
i have hundreds of possible combinations :\
why not just do something simple based on configuration
so e.g.
// app controller beforeFilter
Configure::write('authtype', 'peon');
in before validate in your models
$authtype = Configure::read('authtype');
if ($authtype === 'peon') {
$this-validate = $this-validateForPeons;
} elseif ($authtype === 'admin') {
$this-validate = $this-validateForAdmins;
}
use a helper to wrap your form/link requirements
echo $aHtml-link('admin home', '/admin');
echo $aForm-create();
echo $aForm-inputs();
echo $aForm-end();
// in your a html helper - example to give you an idea, not to copy
paste and use
function link(...) {
if (Configure::read('authtype') !== 'admin')) { - read from your
auth rules in some manner
return;
}
return parent::link(...);
}
// in your a form helper - example to give you an idea, not to copy
paste and use
function input(...) {
if (Configure::read('authtype') === 'peon' $field === 'status'))
{ - read from your auth rules in some manner
return;
}
return parent::input(...);
}
Unless your rules change at run time and are user specific - I
wouldn't use acl to solve it, unless you use iniacl.
hth
AD
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
Re: Need advice for custom ACL
In that case my honest advice to you is to revise your design. If it's not simple it's should simply not (In Hebrew it sounds better) -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Need advice for custom ACL
the only alternative path i can see is to make hundreds of controllers, each with his own specific model. this will lead to hundreds of controllers. Right now i'm acting this way: - i use the standard Cake ACL to prevent unwanted page views. - i added an Authorization model, with HABTM relationship to User model (and vice-versa) - i added a Vendor class named CheckAuthorizations, loaded in both AppController and AppModel's constructors. This class checks if there's any coincidence between the current logged user and the requested authorization code (authorization_id), by fetching data from Authorizations_Users (the HABTM join model). - Authorization request are done this way: $this-CheckAuthorization-check([AUTHCODE]) or $this-CheckAuthorization-require([AUTHCODE]) Any advice? On 27 Gen, 13:57, Zaky Katalan-Ezra procsh...@gmail.com wrote: In that case my honest advice to you is to revise your design. If it's not simple it's should simply not (In Hebrew it sounds better) -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Need advice for custom ACL
Ernesto:
Some things to try:
For your first example: ignore some validation rules if the user has
authorization X.
- validate the data from the controller, using the $options parameter
to specify which subset of the validation rules to apply. There is a
(albeit simplistic) example in the Cookbook (http://book.cakephp.org/
view/1182/Validating-Data-from-the-Controller), where only a couple of
the fields are validated. If you have multiple rules for a field, and
you want only some, not all, those rules checked on that field, you
can adjust rules array for that field in the Model's beforeValidate()
function (or an attached Behavior's beforeValidate()) -- the
$optionsparameter of Model::validates() is passed to the
Model::beforeValidate(), and only the 'fieldList' key is reserved.
Unfortunately, if you have to resort to the beforeValidate(), your
permissions logic will not be confined to your controller.
- if no errors, call the Model::save() or Model::saveAll(), but set
the validate parameter to false to avoid using the model's full
validation
=
For your second example: hide or modify some form fields if user
hasn't authorization Y.
- in your controller, you can create an array of what authorizations
the user has and save that to a view variable.
- in your view, use that array to determine whether a form field
should be hidden or adjusted.
example:
foo_controller.php:
function edit($id = null) {
...
$aro = 'user/' . $this-Auth-user('id');
// Create list of authorizations that user has
$authorizations = array();
foreach(array('Bar/Y_1', 'Bar/Y_2', 'Bar/Y_3') as $aco) {
if ($this-Acl-check($aro, $aco) {
$authorizations[] = $aco;
}
}
$this-set(compact('authorizations'));
}
foo/edit.ctp:
...
if (in_array('Bar/Y_2', $authorizations)) {
echo $this-Form-input('fieldX1');
} else {
echo $this-Form-hidden('fieldX1');
}
if (in_array('Bar/Y_3', $authorizations)) {
echo $this-Form-input('fieldX2', array(
'options' = array('1', '2', '3')
));
} else {
echo $this-Form-input('fieldX2', array(
'options' = array('4', '5', '6')
));
}
Note that in Cake's built-in ACL, the ACO (Access Control Object)
nodes do not have to correspond to controllers or actions. ACO nodes
that correspond to actions is just one of the built-in behaviors. You
can also define arbitrary ACO nodes. To extend my example above, I
can have the following ACO nodes defined:
controllers/Foo/add
controllers/Foo/edit
controllers/Foo/index
controllers/Foo/view
Bar/Y_1
Bar/Y_2
Bar/Y_3
and in app_controller.php:
var $components = array('Auth' = array(
'authorize' = 'actions',
'actionPath' = 'controllers/'
));
Note the 'actionPath' AuthComponent variable; any ACO nodes NOT nested
under the 'controllers' (or whatever you specify as the actionPath)
node are ignored for the purposes of the standard Cake ACL. To
check permissions manually for everything else, you can use the
check($aro, $aco, $action = '*') function of the AclComponent.
There may be some advantages of using Cake's AclComponent in this way
instead of your custom CheckAuthorizations class, including:
- using existing tables (aros, acos, aros_acos, and not having to add
the authorizations and authorizations_users tables)
- inheritance. ARO nodes can refer to groups and/or users -- if a
UserX is part of GroupA and GroupA has access to AuthB, UserX also has
AuthB (unless access to AuthB is explicitly revoked from UserX. And
if groups are defined as heirarchical (i.e. TreeBehavior), GroupA can
inherit access rights from it's parents and ancestors. The same
applies to ACO nodes. In fact, you *could*, in theory, define field-
level access in the following manner:
ARO:
Group 1 (all users)
Group 2 (admin)
ACO:
controllers/Foo/edit
controllers/Foo/edit/name
controllers/Foo/edit/fieldX1
controllers/Foo/edit/fieldX2
ARO/ACO:
// All users can access the edit page for Foo
$this-Acl-allow('Group 1', 'controllers/Foo/edit');
// Revoke access to fieldX1 and fieldX2 from the public at large
$this-Acl-deny('Group 1', 'controllers/Foo/edit/fieldX1');
$this-Acl-deny('Group 1', 'controllers/Foo/edit/fieldX2');
// Grant access to fieldX1 and fieldX2 to the admins
$this-Acl-allow('Group 2', 'controllers/Foo/edit/fieldX1');
$this-Acl-allow('Group 2', 'controllers/Foo/edit/fieldX1');
then adjust the controller and view to accommodate the results of the
permission check.
- There is
Re: Need advice for custom ACL
Hi ShadowCross.
thx for your suggestions.
i'll surely try them
On 27 Gen, 20:31, ShadowCross adri...@jps.net wrote:
Ernesto:
Some things to try:
For your first example: ignore some validation rules if the user has
authorization X.
- validate the data from the controller, using the $options parameter
to specify which subset of the validation rules to apply. There is a
(albeit simplistic) example in the Cookbook (http://book.cakephp.org/
view/1182/Validating-Data-from-the-Controller), where only a couple of
the fields are validated. If you have multiple rules for a field, and
you want only some, not all, those rules checked on that field, you
can adjust rules array for that field in the Model's beforeValidate()
function (or an attached Behavior's beforeValidate()) -- the
$optionsparameter of Model::validates() is passed to the
Model::beforeValidate(), and only the 'fieldList' key is reserved.
Unfortunately, if you have to resort to the beforeValidate(), your
permissions logic will not be confined to your controller.
- if no errors, call the Model::save() or Model::saveAll(), but set
the validate parameter to false to avoid using the model's full
validation
=
For your second example: hide or modify some form fields if user
hasn't authorization Y.
- in your controller, you can create an array of what authorizations
the user has and save that to a view variable.
- in your view, use that array to determine whether a form field
should be hidden or adjusted.
example:
foo_controller.php:
function edit($id = null) {
...
$aro = 'user/' . $this-Auth-user('id');
// Create list of authorizations that user has
$authorizations = array();
foreach(array('Bar/Y_1', 'Bar/Y_2', 'Bar/Y_3') as $aco) {
if ($this-Acl-check($aro, $aco) {
$authorizations[] = $aco;
}
}
$this-set(compact('authorizations'));
}
foo/edit.ctp:
...
if (in_array('Bar/Y_2', $authorizations)) {
echo $this-Form-input('fieldX1');
} else {
echo $this-Form-hidden('fieldX1');
}
if (in_array('Bar/Y_3', $authorizations)) {
echo $this-Form-input('fieldX2', array(
'options' = array('1', '2', '3')
));
} else {
echo $this-Form-input('fieldX2', array(
'options' = array('4', '5', '6')
));
}
Note that in Cake's built-in ACL, the ACO (Access Control Object)
nodes do not have to correspond to controllers or actions. ACO nodes
that correspond to actions is just one of the built-in behaviors. You
can also define arbitrary ACO nodes. To extend my example above, I
can have the following ACO nodes defined:
controllers/Foo/add
controllers/Foo/edit
controllers/Foo/index
controllers/Foo/view
Bar/Y_1
Bar/Y_2
Bar/Y_3
and in app_controller.php:
var $components = array('Auth' = array(
'authorize' = 'actions',
'actionPath' = 'controllers/'
));
Note the 'actionPath' AuthComponent variable; any ACO nodes NOT nested
under the 'controllers' (or whatever you specify as the actionPath)
node are ignored for the purposes of the standard Cake ACL. To
check permissions manually for everything else, you can use the
check($aro, $aco, $action = '*') function of the AclComponent.
There may be some advantages of using Cake's AclComponent in this way
instead of your custom CheckAuthorizations class, including:
- using existing tables (aros, acos, aros_acos, and not having to add
the authorizations and authorizations_users tables)
- inheritance. ARO nodes can refer to groups and/or users -- if a
UserX is part of GroupA and GroupA has access to AuthB, UserX also has
AuthB (unless access to AuthB is explicitly revoked from UserX. And
if groups are defined as heirarchical (i.e. TreeBehavior), GroupA can
inherit access rights from it's parents and ancestors. The same
applies to ACO nodes. In fact, you *could*, in theory, define field-
level access in the following manner:
ARO:
Group 1 (all users)
Group 2 (admin)
ACO:
controllers/Foo/edit
controllers/Foo/edit/name
controllers/Foo/edit/fieldX1
controllers/Foo/edit/fieldX2
ARO/ACO:
// All users can access the edit page for Foo
$this-Acl-allow('Group 1', 'controllers/Foo/edit');
// Revoke access to fieldX1 and fieldX2 from the public at large
$this-Acl-deny('Group 1', 'controllers/Foo/edit/fieldX1');
$this-Acl-deny('Group 1', 'controllers/Foo/edit/fieldX2');
// Grant access to fieldX1 and fieldX2 to the admins
Re: Need advice for custom ACL
hi, in my app i need to (some examples): - ignore some validation rules if the user has authorization X - hide or modify some form fields if user hasn't authorization Y - do the usual ACL things (if you're a Customer you can't modify users and so on) not all of those authorizations are referred to a specific controller's action so cake's built-in ACL isn't very useful. in your opinion, what's the best way to implement this? Not tried this, but could you: 1. Have multiple views per auth type, stops you needing to hide/show form fields 2. Have multiple Models that connect to the same table, each with a different set of validation rules 3. Use the correct model above in your controller and views ... which would mean your ACL logic stays in the controller. Might work, Cheers, Jon -- jon bennett - www.jben.net - blog.jben.net -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Need advice for custom ACL
HiJohn thx for your response acting that way will bloat my app i have hundreds of possible combinations :\ On 26 Gen, 15:05, Jon Bennett jmbenn...@gmail.com wrote: hi, in my app i need to (some examples): - ignore some validation rules if the user has authorization X - hide or modify some form fields if user hasn't authorization Y - do the usual ACL things (if you're a Customer you can't modify users and so on) not all of those authorizations are referred to a specific controller's action so cake's built-in ACL isn't very useful. in your opinion, what's the best way to implement this? Not tried this, but could you: 1. Have multiple views per auth type, stops you needing to hide/show form fields 2. Have multiple Models that connect to the same table, each with a different set of validation rules 3. Use the correct model above in your controller and views ... which would mean your ACL logic stays in the controller. Might work, Cheers, Jon -- jon bennett -www.jben.net- blog.jben.net -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Need advice for custom ACL
HiJohn thx for your response acting that way will bloat my app i have hundreds of possible combinations :\ Not sure what else to suggest, interested to hear if/how you solve it! -- jon bennett - www.jben.net - blog.jben.net -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Need advice for custom ACL
not all of those authorizations are referred to a specific controller's action so cake's built-in ACL isn't very useful. Then what they refer to? It looks like you need to create an engine to create your views on the fly. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Need advice for custom ACL
They don't refer to anything particular. Look @ my example in first post On 26 Gen, 18:40, Zaky Katalan-Ezra procsh...@gmail.com wrote: not all of those authorizations are referred to a specific controller's action so cake's built-in ACL isn't very useful. Then what they refer to? It looks like you need to create an engine to create your views on the fly. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
