How to use ACL with permissions

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

How to use ACL with permissions

Apprentice-2

I've created tables required by ACL. I have 2 models: Users & Posts
(intended for blog).
+ Users consist of Admins, Mods, Ordinary Users
+ Admins & Mods can modify all Posts
+ Only owners among Ordinary Users can modify their posts
+ Unauthorised Users who try to modify will be notified that they can't
do so

I read, read & read again & again but did not understand how to make
the things work together. Please give em a hint. Thank you very much!

Apprentice.


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups "Cake PHP" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: How to use ACL with permissions

zheka-2

you may find these useful
http://www.noswad.me.uk/MiBlog/ACLPart1
http://www.noswad.me.uk/MiBlog/ACLPart2


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups "Cake PHP" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: How to use ACL with permissions

Apprentice-2

Hi Zheka,

Thank you for hint.

I've read them a few days ago but still can't catch the essence. If you
have cleare view, please share with me. Thank you in advance.

Apprentice.

On Nov 4, 9:22 pm, "zheka" <[hidden email]> wrote:
> you may find these usefulhttp://www.noswad.me.uk/MiBlog/ACLPart1http://www.noswad.me.uk/MiBlog/ACLPart2


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups "Cake PHP" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: How to use ACL with permissions

AD7six

Hi Apprentice,

There are 2 aspects to consider,

1) Setting up the ACL rules
2) Checking if someone has access

>From your first message, assuming that you don´t have vast numbers of
users:

1.1 AROs)
You need a structure something like this:
PUBLIC
    USERS
        random_name
        MODS
            friend_name
            ADMIN
                your_name

You can play with your aro structure here:
http://www.noswad.me.uk/AclAdminDemo/aros, if there is no similar
looking tree click the "load from user table" link at the bottom of the
page to get some data. Remember that an aro is a representation of a
user/group it is not in itself a user/group - i.e. a user and an aro
are rows in different tables in the db.

1.2 ACOs)
there is a plugin on my site that I will use here as an analogous
example. If you install the AclAdmin plugin in your own application,
the aco options will reflect the controllers and methods you have
defined yourself. Follow these steps to 'initialize' the acl demo data
so that it looks similar to what you are wanting:
go here: http://www.noswad.me.uk/AclAdminDemo/Acos/page_view and delete
the root node. (delete all existing acos and their rules)
go here: http://www.noswad.me.uk/AclAdminDemo/acos and click "global"
for "demo1". (create one aco for this plugin - do it for your app on
yoru own site.)
go here: http://www.noswad.me.uk/AclAdminDemo/acos and click "granular"
for "titles". (create an aco for the controller and one aco for each
method)
go here: http://www.noswad.me.uk/AclAdminDemo/Acos/data_view and you'll
see a tree representing the things that you can now control

So, title is equivalent to post, and there is an aco for editing,
deleting etc. a title.

1.3 ACL rules)

go here: http://www.noswad.me.uk/AclAdminDemo/permissions

Navigate to the group "ADMIN" and allow access to ROOT. This means that
any one under ADMIN has the right to access or do everything.
Navigate to the group "MODS" and allow access to demo1:titles:edit.
This means that any one under MODS has the right to edit titles.
Define any other rules you might want (such as PUBLIC can view/index)

At that you have all the building blocks in place.

2) Checking Access

Something similar to the code in
http://www.noswad.me.uk/MiBlog/ACLPart1  is what you want, with one
minor change. One of your requirements is that users can edit their own
posts - you can do this via acl but you don't need to. In your posts
controller define the method _checkACL such that if the action is edit
and the current user is the post owner - bypass the acl check.
Something like:

function _checkACL ($aro) {
        if (low($this->action)=='edit') {
                $data = $this->Post->read();
                if ($data['Post']['member_id'] <> $this->Session->read("Member.id"))
{
                        $this->_accessDenied($aro,"Post:Edit:".$this->Post);
                }
        } else {
                return parent::_checkACL($aro);
        }
}

And that's that.

I hope that is useful, at least in prompting some "oh yeah I can.."
thoughs,

AD7six
Please note:
The manual/bakery is a good place to start any quest for info.
The cake search (at the time of writing) erroneously reports less/no
results for the google group.
The wiki may contain incorrect info - read at your own risk (it's
mainly user submitted) :)
You may get your answer quicker by asking on the IRC Channel (you can
access it with just a browser here: http://irc.cakephp.org).
On Nov 5, 12:45 am, "Apprentice" <[hidden email]> wrote:

> Hi Zheka,
>
> Thank you for hint.
>
> I've read them a few days ago but still can't catch the essence. If you
> have cleare view, please share with me. Thank you in advance.
>
> Apprentice.
>
> On Nov 4, 9:22 pm, "zheka" <[hidden email]> wrote:
>
> > you may find these usefulhttp://www.noswad.me.uk/MiBlog/ACLPart1http://www.noswad.me.uk/MiBlog...


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups "Cake PHP" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: How to use ACL with permissions

AD7six

Ooops. that should be:

function _checkACL ($aro) {
        if (low($this->action)=='edit') {
                $data = $this->Post->read();
                if ($data['Post']['member_id'] == $this->Session->read("Member.id"))
{
                        return true;
                } else {
                        return parent::_checkACL($aro);
                }
        } else {
                return parent::_checkACL($aro);
        }
}

On Nov 5, 3:54 pm, "AD7six" <[hidden email]> wrote:

> Hi Apprentice,
>
> There are 2 aspects to consider,
>
> 1) Setting up the ACL rules
> 2) Checking if someone has access
>
> >From your first message, assuming that you don´t have vast numbers ofusers:
>
> 1.1 AROs)
> You need a structure something like this:
> PUBLIC
>     USERS
>         random_name
>         MODS
>             friend_name
>             ADMIN
>                 your_name
>
> You can play with your aro structure here:http://www.noswad.me.uk/AclAdminDemo/aros, if there is no similar
> looking tree click the "load from user table" link at the bottom of the
> page to get some data. Remember that an aro is a representation of a
> user/group it is not in itself a user/group - i.e. a user and an aro
> are rows in different tables in the db.
>
> 1.2 ACOs)
> there is a plugin on my site that I will use here as an analogous
> example. If you install the AclAdmin plugin in your own application,
> the aco options will reflect the controllers and methods you have
> defined yourself. Follow these steps to 'initialize' the acl demo data
> so that it looks similar to what you are wanting:
> go here:http://www.noswad.me.uk/AclAdminDemo/Acos/page_viewand delete
> the root node. (delete all existing acos and their rules)
> go here:http://www.noswad.me.uk/AclAdminDemo/acosand click "global"
> for "demo1". (create one aco for this plugin - do it for your app on
> yoru own site.)
> go here:http://www.noswad.me.uk/AclAdminDemo/acosand click "granular"
> for "titles". (create an aco for the controller and one aco for each
> method)
> go here:http://www.noswad.me.uk/AclAdminDemo/Acos/data_viewand you'll
> see a tree representing the things that you can now control
>
> So, title is equivalent to post, and there is an aco for editing,
> deleting etc. a title.
>
> 1.3 ACL rules)
>
> go here:http://www.noswad.me.uk/AclAdminDemo/permissions
>
> Navigate to the group "ADMIN" and allow access to ROOT. This means that
> any one under ADMIN has the right to access or do everything.
> Navigate to the group "MODS" and allow access to demo1:titles:edit.
> This means that any one under MODS has the right to edit titles.
> Define any other rules you might want (such as PUBLIC can view/index)
>
> At that you have all the building blocks in place.
>
> 2) Checking Access
>
> Something similar to the code inhttp://www.noswad.me.uk/MiBlog/ACLPart1 is what you want, with one
> minor change. One of your requirements is that users can edit their own
> posts - you can do this via acl but you don't need to. In your posts
> controller define the method _checkACL such that if the action is edit
> and the current user is the post owner - bypass the acl check.
> Something like:
>
> function _checkACL ($aro) {
>         if (low($this->action)=='edit') {
>                 $data = $this->Post->read();
>                 if ($data['Post']['member_id'] <> $this->Session->read("Member.id"))
> {
>                         $this->_accessDenied($aro,"Post:Edit:".$this->Post);
>                 }
>         } else {
>                 return parent::_checkACL($aro);
>         }
>
> }And that's that.
>
> I hope that is useful, at least in prompting some "oh yeah I can.."
> thoughs,
>
> AD7six
> Please note:
> The manual/bakery is a good place to start any quest for info.
> The cake search (at the time of writing) erroneously reports less/no
> results for the google group.
> The wiki may contain incorrect info - read at your own risk (it's
> mainly user submitted) :)
> You may get your answer quicker by asking on the IRC Channel (you can
> access it with just a browser here:http://irc.cakephp.org).
> On Nov 5, 12:45 am, "Apprentice" <[hidden email]> wrote:
>
> > Hi Zheka,
>
> > Thank you for hint.
>
> > I've read them a few days ago but still can't catch the essence. If you
> > have cleare view, please share with me. Thank you in advance.
>
> > Apprentice.
>
> > On Nov 4, 9:22 pm, "zheka" <[hidden email]> wrote:
>
> > > you may find these usefulhttp://www.noswad.me.uk/MiBlog/ACLPart1http://www.noswad.me.uk/MiBlog...


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups "Cake PHP" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---