Auth is NOT Access Control, It is simply authentication.
No need to go rushing towards ACL.
http://book.cakephp.org/view/1275/authorize
$this-Auth-authorize = 'controller'; is a very acceptable
configuration for authorisation, hence why it is probably the most
commonly used.
I find ACL
On Sep 6, 8:36 pm, LunarDraco mdc...@gmail.com wrote:
Auth is NOT Access Control, It is simply authentication.
No need to go rushing towards ACL.
http://book.cakephp.org/view/1275/authorize
$this-Auth-authorize = 'controller'; is a very acceptable
configuration for authorisation, hence why it
Auth is NOT Access Control, It is simply authentication. You know the
user is real and has validated.
Access Control at a data level requires a bit more than Auth.
In general you can build up ACL (Access Control List) where you can
then control which data is visible to different request objects.
You should really look at modifying your auth() configuration so you
can move the authorisation work out of the controller actions and into
Controller::isAuthorized();
In your appController (if applying to whole app) you could do $this-
Auth-authorize = 'controller';
The you create an
Hi andrewperk am really grateful for you help so far. Thanks a lot
before I got the reply I was able to figure it out.
One last problem I am having is that if a user want to edit his
profile and the id field for the user in the profile table is 1 but
the value of the loggedin user id is 2 a user
It's pretty simple, just use a conditional to compare the logged in
user's ID to the ID passed in to the URL. If it doesn't match then
they get redirected back to the edit page but this time passing in
their ID rather than the one they tried to use. This should ensure
only the current user can
Really grateful for your help. It is now working as I wanted it to
didn't know it was this simple but I was thinking in this direction.
But I am having another problem in my cakephp application I have a
function called addProfile I would like the function to be displayed
to a user that has logged
I can try to give you some tips on how to build your code and the
logic behind it.
I assume your user model has a (hasOne) relationship to the profile
model and the profile model has a (belongsTo) relationship to the User
model, right? A user can have a single profile. In the profiles table
I have already setup the auth component and it is working perfectly.
But I just discovered a problem.
There are two users in my users table when I am login as one of the
users I can access the other users details just by changing the i.d.
This wouldnt be secure as a login user can access all the
You need to scope the update to only update the logged in user. That
way when a user accesses the update action it will only allow them to
update their own account.
For instance on the action to update a user fetch that user like so:
public function update() {
// This sets the logged in user
Thanks for your help. PLease I still cant restrict access to only the
loggen in users details this is my edit code
function edit($id = null) {
if (!$id empty($this-data)) {
$this-Session-setFlash(__('Invalid profile', true));
11 matches
Mail list logo