I'm researching the use of ACL in CakePHP and it's confusing... I haven't understood a thing.
With ACL can I permit or deny the access to a page (that part I get). But, for example, I want to make sure, that user can't modify of another user. Can I do this with ACL or is only for create/update delete into the query?
The project is still at planning stage, therefore I don't have any code to show.
The CakePHP acl is action base, that means if you have create , delete , edit ,... actions for articles controller, you can allow or deny it to any one, but you can not specify(allow/deny) to any event in actions.
If you have many events in your action, for example in edit action of articles controller you have publish , file upload , image upload ,... events,So you can't handle this events with native acl system, you must handle it by your own code.
Related
I have a project which includes admin and user section. Both section use the same controllers, just different functions and templates (ex: viewAdmin() and viewUser()). In function beforeRender() of every controllers, I set variable $admin as true for admin functions and false for user functions.
For authentication, I use Shibboleth. Shibboleth uses data from LDAP, while user types were saved in SQL-Database, that means while it can check if the login and password are false, it can't check if the user is admin or not. An user can go to ADMIN section as long as they use the right action (ex: go to the link http://example.com/tool/viewAdmin).
To prevent this, I will have to:
Load model Users
Compare the environment variable uid (login name) with the "login" columns in Users table in my SQL-Database
See the "type" column in Users table to know if user is admin or not.
Compare the result with value of $admin and redirect to an error page when necessary.
The problem is: I don't want to repeat those steps for EVERY controllers.
Currently I have 2 ideas:
Write a function in UsersController, and use it in every controllers.
Create a component and load it in every controllers.
Both methods require me changing code in all controllers. I would like to hear a better way with less work, perhaps by changing app.php or bootstrap.php.
Any suggestion is appreciated.
To share methods in CakePHP controllers you can do:
Create component and include in controller
Or create method in AppController and use it in child controllers
Or PHP way create Trait.
But when you authorize users, then all user data is stored in session, incl. is user roles (example admin, regular, member,.. )
Use the official CakePHP authentication plugin and extend the LDAP adapter with the additional code check you need. This is very easy to do and also a very clean way of solving the problem. Disclaimer: I'm one of the authors of the authentication plugin. https://github.com/cakephp/authentication
Or if you want to stay agnostic to any framework, use my library that is based on the authentication plugin and was decoupled from any framework but still works just nice with Cake https://github.com/Phauthentic/authentication.
I am using Phalcon as my framework of choice. I have hit a bit of a road block when it comes to structuring my website. I would like to use ACL to manage permissions to my website. But it seems ACL does not allow my to set permission values for 'parameters'.
Say I am creating a website that has user created 'groups' which only users with the correct permissions (set in the ACL) can view.
It might work something like this: website.com/groups/view/MyGroup
Group being the controller, view being the action and "MyGroup" being the parameter for the action defining which group to view.
I can only set the access permission for the groups controller or view action. Not the parameter.
Ideally, I'd use the database adapter for ACL and I would create a new user group for every group created in my app. I could have hundreds of groups, each with own set of users. I can reuse the 'groups' controller code for every group, because we always use the same controller/actions, except we point to different groups by changing the parameter.
How could I achieve this using Phalcons ACL library ? Maybe I need to structure things differently?
Phalcons ACL is based on 'Resources', in which a Resource can technically be anything you desire, you're not limited to controllers only.
http://docs.phalconphp.com/en/latest/api/Phalcon_Acl.html
I want to provide specified actions for different role in Symfony 1.4 project.
Project contains several database tables which values can be modified only by certain roles.
For example, an administrator gains access to CRUDs for all models.
Another role (let it be a consultant) can only retrieve (not modify or remove) results from specified models (not all).
How can I support such a feature in symfony?
I assume that roles for the project will be specified in advance.
One solution I was thinking about is creating modules and actions for each role separately (crud panels + one logging interface), but it sounds like a huge job.
Just wondering what the smarter way is.
I think the best way to achieve that is definitively credentials (it is for sf1.2 but ok for 1.4).
I recommend you to use sfGuardDoctrine to use some groups with associated permissions (which are credentials). You define a group admin, consultant, etc .. You associate some credentials, like modifiy, remove, create, edit, etc ..
And then, every time a user will log in, it will automatically have defined credentials (associated to him or by his group).
After, you have to check for every action if the user has can perform it:
if($this->getUser()->hasCredential('modify'))
{
// authorized action
}
Here is some more documentation for sfGuard (related to sf1.0 but it is good to understand how it works).
hi I am developing custom component in joomla 1.7 I want to restrict user task based on user groups. I have created table and saved all the controller names and tasks and saved the permissions for the previous tasks with user group id. In central com_component.php file I check the user permissions and authorized the taks with controller. This is working really well. What I want to know is can I use addACL() or authorized() functions to do this which is I really don't understand correctly. Bcoz Here I want use both controller and task together.
Developing a component with the Access Control List is described on Joomla! documentations in detail (link). I think the first thing to do is follow the instructions described there. There is even sample code that you can download and use.
The plugin 'GroupJive' for the Community Builder component has ways to do what you are looking for. I would look to that project at least for a guideline. I will be digging into a similar challenge this weekend and if I find code without the need for the component I will let you know.
I've been working on a CRM for about 5 months and we are about to launch it, I am having an exhausting problem with Cake's ACL. I understand the concepts to a degree. The problem I'm having is with CRUD permissions in the ARO_ACO join table. As I understand it, I create permissions on a given controller/action. That alright, but I don't understand why denying just even one node out of the CRUD portion of the ARO_ACO table, completely denies the user access. I have more than 200 controller actions, this would seem like a complete waste of time, if I were to set up permissions across the board and have to deny access that deeply.
Since every action has a record, why would a "delete" action have CRUD on that action?
Example:
1;17;1;"1";"1";"1";"1" << full access to admin group on all controllers.
15;19;14;"-1";"-1";"-1";"-1" << deny delete action on just one controller
Unfortunately that is how Cake is. I had a similar issue and ended up fixing my ACL problem using the Alaxos ACL plugin. At first, it was a little troublesome, but after a few attempts I got it to work.
Check it out here...