Geek Answers Handbook

CakePHP - restrict editing your own "data"

I am currently using the Auth component to log in to log in / out - the ACL is defined for sorting between user groups (guests, users, administrators) - with obvious limitations; The administrator can access everything, the user can only access editing in the user controller, and the guest can only see the display / index / view, etc. Etc.

Now, to prevent users from editing another user, I have a function called isOwner (), which basically checks if you are trying to edit your own profile; and also checks if this is an administrator trying to edit. If the user is the owner of the content they are trying to edit, he allows them to otherwise redirect using a flash message.

After reading http://book.cakephp.org/view/1245/Defining-Permissions-Cake-s-Database-ACL - I wondered if this can be defined in the ACL?

Something along the lines of:

$this->Acl->allow(array('model' => 'User', 'foreign_key' => $id), 'Users', 'edit', $id)

Although I have not dug deep enough, and I assume that I will need to do something like beforeSave () with the above line for each registered new user, in order to allow editing his profile.

+4
source share
2 answers

[I decided to post this as an answer because it contains code examples]

You can create a component (or function) and use the beforeFilter () callback in app_controller, so you do not need to manually add the function to all controllers.

You can also use several prefixes for actions (see Routing.prefixes in the kernel), this will simplify access control. Sort of:

[app_controller.php]

 function beforeFilter() { if(isset($this->params['prefix']) && $this->params['prefix'] == 'admin'){ if(!isAdmin() || !isOwner()) $this->cakeError('error404'); } }

[users_controller.php]

  function admin_edit($id = null){ ... // edit as usual }

On the LAMP stack, your bottleneck is usually in the database

My problem with the cake is the number of requests it makes. As soon as I saw that my β€œcontact” page, which made 21 requests, only to get the data structure and permissions for this public page.

The only way to justify using an ACL to access data is when permissions are dynamic, that is, "user number 29 can edit user number 12 because the administrator has resolved this in backoffice." But if you have static rules for accessing data (for example, "users can edit their own information, and administrators can edit everything"), it is useless to execute requests when you already know the answers, because these rules will not change over time .

so it all depends on your application. Finally, one final thought, if you are still planning on making more requests = P, you can set the authorization method to the Auth component . But using an ACL component for this seems like a bad idea to me.

Hooray!

+2
source

Well, it's almost 4 years later, but for those who love me, stumble upon this exploration of the Acl solution for the CakePHP application; The short answer is yes, it is possible, but it must be carefully planned. If you really need this Auth level, there really is no real alternative to the Cake ACL implementation, which at least sounds (without getting into criticism ...). Note: stable version version 2.4:

Essentially, the solution is to replace your call to isOwner() in your code with $dbAcl->check($user, $entity, $action); which does a search in your db ACL structure - see http://api.cakephp.org/2.4/class-DbAcl.html .

It is more than that, of course. CakePHP does not provide you with a turnkey solution for this type of entity-level authentication. It provides you with a toolbox that you can use to create it:

  • DbAcl to query the db ACL structure.
  • AclBehavior. Models of feature classes to which you want to apply entity-level authorization must load Acl behavior. This automatically creates and deletes the object-level ACO / ARO, taking care of everything. See http://api.cakephp.org/2.4/class-AclBehavior.html .
  • Controller level authorization using the controller :: isAuthorized (). Here you will call dbAcl::check() . See http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#authorization . You can also do this from a custom authorization module if you want.
  • You still need to complement this using the CRUD or Action Authorize component. Its important to understand that there are 2 implicit action / endpoint subclasses in the CakePHP controller by default. Those that act on the controller itself (add, index) and those that act on the object of the object class represented by the controller (edit, view, delete). This is similar to class vs instance methods. The type of authorization described applies only to the endpoint that acts on the object. You return to Action / Crud auth for the rest.
  • You will obviously need a User model.

Note that there are two good tutorials at the end of the Cake document in the ACL - http://book.cakephp.org/2.0/en/tutorials-and-examples . They do not cover this type of installation explicitly, but given the concepts covered plus dBAcl , you should be able to make your own path.

0
source

More articles:


All Articles