All geek questions in one place

Simplified and managed ACL implementation in cakephp

I went through the full lesson on cakephp ACL component, but the giant ACL component doesn't seem to meet my very simple requirements.

I have only group-based access control, three groups are users, managers and administrators, the fourth is anonymous users without logins, for which I do not create any group.

from acl concept he creates three tables

aros β†’ it looks like some redundant data copied from the groups table, I don’t even need to have a groups table, but just a group_id field in the users table.

acos -> this is a list of public methods in controllers, I had to use the AclExtra plugin to populate more than 250 actions in the table, now this is the part that I consider to be unmanaged, I noticed that the tool used to populate the acos table cannot synchronize reliably every time when I make changes to the controllers, the same work must be done on the remote site for each change, which means a terrible thing! it also means that I must have a database backup during upgrades and migrations.

The other side, if I use acos based on a php file, which is again not manageable, because we need to make sure synchronization between the controller and the acl file.

aros_acos β†’ obviously

Can we have a simpler mechanism, for example, I deny all actions using the Auth component, and then inside each action, or maybe in the beforeRender method, I can indicate which methods are open for which group?

thanks

0
source share
1 answer

There is an undocumented PhpAcl acl PhpAcl that is much easier to use than a database-managed ACL and more dynamic than a variable-access ACL.

In Config/core.php

 /** * The class name and database used in CakePHP's * access control lists. */ Configure::write('Acl.classname', 'PhpAcl'); // Configure::write('Acl.database', 'default');

This tells the ACL to use PhpAcl

Then open Config/acl.php

There are good instructions there

Assumption:

  • In your application, you created a User model with the following properties: username, group_id, password, email, firstname, lastname, etc.
  • You configured AuthComponent to authorize actions through $this->Auth->authorize = array('Actions' => array('actionPath' => 'controllers/'),...)

Now that the user (i.e. jeff) is successfully authenticated and requests controller actions (i.e. / invoices / deletions) that are not allowed by default (for example, via $ this-> Auth-> allow ('edit ') in the invoice controller), then AuthComponent will request the configured ACL interface if access is granted. Under assumptions 1. and 2. this will be done by calling Acl-> check () with

 array('User' => array('username' => 'jeff', 'group_id' => 4, ...))

like aro and

 '/controllers/invoices/delete'

like ACO.

I wanted to use static names for groups or roles so that you could add a role field to your user table and then set up $ map as follows:

  ** * The role map defines how to resolve the user record from your application * to the roles you defined in the roles configuration. */ $config['map'] = array( 'User' => 'User/username', 'Role' => 'User/role', );

For my application, we do not use only the permissions role only for users, so we can remove User from the $ card.

Then you need to configure some roles:

 /** * role configuration */ $config['roles'] = array( 'Role/admin' => null, );

Any role not included in this array will receive "Role / default"

Now just configure your permissions, they are pretty clear.

 /** * rule configuration */ $config['rules'] = array( 'allow' => array( '*' => 'Role/admin', 'controllers/Reports/*' => 'Role/default', 'controllers/EurRates/*' => 'Role/default', 'controllers/Posts/index' => 'Role/default', 'controllers/Users/(edit|index)' => 'Role/default', ), 'deny' => array( 'controllers/ProtectedController/*' => 'Role/default', 'controllers/EurRates/(edit|add|delete)' => 'Role/default', 'controllers/Reports/(edit|add|delete)' => 'Role/default', ), );

To do this, you can now allow or deny permission for role-based actions.

0
source

Source: https://habr.com/ru/post/1312662/

More articles:


All Articles