I'm using isAuthorized to deny access to methods if the record id doesn't belong to the user. Profiles can have many documents and documents belong to one profile:
Controller/DocumentsController.php
public function add($id = null) {
if ($this->request->is('post')) {
$this->request->data['Document']['profile_id'] = $id;
$this->request->data['Document']['user_id'] = $this->Auth->user('id');
$this->Document->create();
if ($this->Document->save($this->request->data)) {
$this->Session->setFlash(__('The document has been saved'));
$this->redirect(array('action' => 'index'));
} else {
$this->Session->setFlash(__('The document could not be saved. Please, try again.'));
}
}
}
public function isAuthorized($user) {
if ($this->action === 'index') {
return true;
}
if (in_array($this->action, array('view', 'add', 'edit', 'delete'))) {
$document_id = $this->request->params['pass'][0];
if ($this->Document->isOwnedBy($document_id, $user['id'])) {
return true;
}
}
return parent::isAuthorized($this->Auth->user());
}
Model/Document.php
public function isOwnedBy($document, $user) {
return $this->field('id', array('id' => $document, 'user_id' => $user)) === $document;
}
I'm passing the profile id as $id to docments/add from one of my profile views via Cake link helper:
View/Profiles/view.ctp
echo $this->Html->link('New Document',
array('controller' => 'documents', 'action' => 'add',$profile['Profile']['id'])
);
What happens when I click on New Document from profiles/view is that it sends the request but doesn't redirect, just refreshes the page, or it redirects back to profiles/view, not sure which. My first guess is since I'm not defining the profile id in the isAuthorized callback within DocumentsController, isOwnedBy is returning false. Any suggestions on how to get the profile id in isAuthorized within DocumentsController?
Thanks in advance!
The solution to this is relativley easy. When using isAuthorized with parameters from another controller, be sure to reference the right model.
if ($this->Document->Profile->isOwnedBy($document_id, $user['id'])) {
return true;
}
Related
I am working on one role based login system. Actually, What should I do to the controller, model and the views in this role based login system to allocate different access criteria.
I am little confused about how to set and access for the user according to the role.
Mainly I am not sure about how to allocate different view as a role.
ex. I apply if condition to check role and then view according to the role the menu show the different links. like main admin can only watch account tab. the user can not see the account tab.
I also set the same if condition with the session in the controller for preventing direct access to that page.
Here is my code which I applied to menu and controller.
<?php
$login_role= $this->session->userdata('user_data');
if($login_role['user_role'] === 'super_admin'){
?><li><a href="<?php echo base_url('account/view_account'); ?>">
<div>Account</div></a></li><?php
}
?>
and the same condition in the controller
public function index()
{
$login_role= $this->session->userdata('user_data');
if($login_role['user_role'] === 'super_admin')
{
$this->load->model('location_model');
$city_list = $this->location_model->get_city_list();
$state_list = $this->location_model->get_state_list();
//log_message('info', 'City and State list will sucessfully loded.');
$this->load->view('admin/account_insert',['city_list'=>$city_list,'state_list'=>$state_list]);
} else {
redirect('admin/dashboard','refresh');
}
}
I am not sure about is this safe to use like this way. or I have to do something else as a good practice.
I am using a single Controller Login system for all user roles. I have a table of user roles and I have role id in users table. Then I have controller names matching those roles. When user login, I check for role and redirect the user to that controller after verification. Following is the index function of my Login Controller.
public function index()
{
if(!$this->isLoggedIn())
{
$data['title']='Title You want to set on Page';
if($_POST)
{
$config=array(
array(
'field' => 'email',
'label' => 'Email',
'rules' => 'trim|required|valid_email',
),
array(
'field' => 'password',
'label' => 'Password',
'rules' => 'trim|required',
),
);
$this->form_validation->set_rules($config);
if($this->form_validation->run()==false)
{
$data['errors']=validation_errors();
$this->load->view('static/head', $data);
$this->load->view('admin/login');
}
else
{
$user=$this->admin_model->checkUser($_POST);
if(!empty($user))
{
if($user['role']==1)
{
$user['type']='admin';
}
elseif($user['role']==2)
{
$user['type']='team';
}
elseif($user['role']==3)
{
$user['type']='client';
}
elseif($user['role']==4)
{
$user['type']='manager';
}
$this->session->set_userdata($user);
redirect(base_url().$user['type']);
}
else
{
$data['errors']='The credentials you have provided are incorrect or your account has not been approved yet.';
$this->load->view('static/head', $data);
$this->load->view('admin/login');
}
}
}
else
{
$this->load->view('static/head', $data);
$this->load->view('admin/login');
}
}
else
{
redirect(base_url().$this->session->userdata['type']);
}
}
Its working perfectly for me. Furthermore in each Controller I have functions to check if the user is logged in for this role like this
public function isLoggedIn()
{
if(!empty($this->session->userdata['id'])&& $this->session->userdata['type']=='team')
{
return true;
}
else
{
return false;
}
}
And I render my index function of that controller. E.g Following is the team controller index function
public function index()
{
if($this->isLoggedIn())
{
$data['menu']=$this->team_model->getMenuItems();
$data['task_logs']=$this->admin_model->getAllLogs();
$data['title']='Title';
$this->load->view('static/head',$data);
$this->load->view('static/header');
$this->load->view('static/sidebar');
$this->load->view('team/dashboard');
$this->load->view('static/footer');
}
else
{
redirect(base_url());
}
}
This is what I did to reproduce my problem:
Login (redirection at page foo)
Click and go to page bar
Logout
Login again
The redirected page is bar (it should be foo)
This is what I did:
AppController.php
$this->loadComponent('Auth', [
'authorize' => ['Controller'],
'loginRedirect' => [
'controller' => 'Dashboard',
'action' => 'index'
]
]);
UsersController.php
public function login($reset = null) {
$this->layout = 'login';
$this->set('reset', $reset);
if ($this->request->is('post')) {
$user = $this->Auth->identify();
if ($user) {
// IMPORTANT!
// Here I'm setting a different redirect url. The book says
// that $this->Auth->redirectUrl() will read the Auth.redirect
// session. I wanted my admin to login into a different page
if($session->read('Auth.User.role_id') === 3) {
$session->write('Auth.redirect', '/users/system_administrator_index');
}
$this->Auth->setUser($user);
return $this->redirect($this->Auth->redirectUrl());
} else {
$this->Flash->error('Oops', ['key' => 'auth']);
}
}
}
public function logout() {
return $this->redirect($this->Auth->logout());
}
I tried to use $session->destroy(); in order to clear everything related to my session but I noticed anything.
Each time I retry to login, the server redirect me to the last page I visited the last time I was connected.
I found a workaround. Instead of using return $this->redirect($this->Auth->redirectUrl());, I do a manual redirection.
public function login($reset = null) {
$this->layout = 'login';
$this->set('reset', $reset);
if ($this->request->is('post')) {
$user = $this->Auth->identify();
if ($user) {
$this->Auth->setUser($user);
if($user['role_id'] === 3){
return $this->redirect('/users/system_administrator_index');
}
return $this->redirect('/dashboard');
} else {
$this->Flash->error('Oops', ['key' => 'auth']);
}
}
}
I'm trying to protect administrators from accidentally deleting each other in CakePHP 2.4 by checking the group_id. I tried using the following delete method, but it deletes the user anyway and doesn't redirect. How do I return the group_id of the user and then redirect and display an appropriate flash saying "Administrators cannot be deleted"?
public function delete($id = null) {
if (!$this->request->is('post')) {
throw new MethodNotAllowedException();
}
$this->User->id = $id;
if (!$this->User->exists()) {
throw new NotFoundException(__('Invalid user'));
}
if ($user['User']['group_id'] == 1) { //Check user group
$this->Session->setFlash(__('Administrators can not be deleted'), 'flash/error');
$this->redirect(array('action' => 'index'));
}
if (!$this->User->delete()) {
$this->Session->setFlash(__('User could not be deleted'), 'flash/error');
$this->redirect(array('action' => 'index'));
}
if ($this->User->delete()) {
$this->Session->setFlash(__('User deleted'), 'flash/success');
$this->redirect(array('action' => 'index'));
}}
You have a typo in your code -- change your = to == ; then your if statement shouldn't be evaluating as true all the time
if ($user['User']['group_id'] == '1')
Session is either a component (part of the Controller layer) or a helper (part of the View layer) -- it is not intended to be used in the Model, nor should it be used in the model, generally. And redirect() is a controller method only. Just have beforeDelete return false, and then in your controller have a check to see if the delete failed (i.e. it returned false), and if so, show your error flash message, and redirect.
I'm trying to access data in my Model for my controller method.
For starters what is the difference between these two???
$post = $this->Post->find('first',array('conditions'=>array('Post.id'=>$id)));
$this->set(compact('post'));
and
$this->Post->id = $id;
$this->data = $this->Post->read();
as I'm trying to compare the user_id for a post against the logged in user like so:
if($this->Post->user_id != $this->Auth->user('id'))
but it doesn't work as intended (it always returns false)... what is the difference between the two code chunks and why doesn't my line above work properly?
test to see if it helps to compare this code "userid":
function index() {
$user_id = $this->data['Post']['user_id'];
if($user_id != $this->Auth->user('id')){
//go
}
}
This is what I ended up with:
$post = $this->Post->find('first',array('conditions'=>array('Post.id'=>Tiny::reverseTiny($id))));
if ($this->request->is('post') || $this->request->is('put'))
{
$this->Post->id = $post['Post']['id'];
if ($this->Post->save($this->request->data))
{
$this->Session->setFlash('Your post has been updated');
$this->redirect(array('controller' => 'posts', 'action' => 'index'));
}
else
{
$this->Session->setFlash('Server broke!');
}
}
else
{
if($post['Post']['user_id'] != $this->Auth->user('id'))
{
$this->Session->setFlash('Not yours!');
$this->redirect(array('controller' => 'posts', 'action' => 'index'));
}
else
{
$this->request->data = $this->Post->read(null, $post['Post']['id']);
}
}
There are differences between find() and read(), read will grab all related model data and set the active record of the model to the result. Whereas a find will just all related model data in a query and assign the result to the variable.
Use debug($this->data) to reveal the structure of your returned data. You will find it is $this->data['Post']['user_id'] for the User ID.
i research about mvc and n-tier architecture different. but i can't understand how model pass data to view in mvc?
for example in cakephp I have an controller and action like this:
function edit($id = null) {
if (!$id && empty($this->data)) {
$this->Session->setFlash(__('Invalid user', true));
$this->redirect(array('action' => 'index'));
}
if (!empty($this->data)) {
if ($this->User->save($this->data)) {
$this->Session->setFlash(__('The user has been saved', true));
$this->redirect(array('action' => 'index'));
} else {
$this->Session->setFlash(__('The user could not be saved. Please, try again.', true));
}
}
if (empty($this->data)) {
$this->data = $this->User->read(null, $id);
}
$groups = $this->User->Group->find('list');
$this->set(compact('groups'));
}
in this section:
if (!$id && empty($this->data)) {
$this->Session->setFlash(__('Invalid user', true));
$this->redirect(array('action' => 'index'));
}
we check that id passed or not. if have not be set we redirect user. than:
if (!empty($this->data)) {
if ($this->User->save($this->data)) {
$this->Session->setFlash(__('The user has been saved', true));
$this->redirect(array('action' => 'index'));
} else {
$this->Session->setFlash(__('The user could not be saved. Please, try again.', true));
}
}
if submitted data from view we update row in db. then :
if (empty($this->data)) {
$this->data = $this->User->read(null, $id);
}
$groups = $this->User->Group->find('list');
$this->set(compact('groups'));
and if id have been set and if not data submitted its mains the page early opened and data in relation this id will be read from db and displayed in view.
now I can't understanding how and where model pass data to view in this cakephp's standard mvc????
thanks for help.
Models do not send data to the view. controllers do, by calling the set method. controllers use models to get data from database and then send it to the view:
$this->set('myVariable','myValue');
or you can use compact to send complex data at once like in your example:
$groups = $this->User->Group->find('list');
$this->set(compact('groups'));