I've got a simple ARO/ACO set up with simply all my users as AROs and all my Modules as ACOs and the ARO_ACOs table holds the permission rights.
This works great, except when I delete a User, I'd like to be able to clean up the ARO_ACOs and ARO tables by removing any entries associated with the ARO related to the user.
How do I go about this? The documentation is not helpful at all!
Using the ACL behavior? No action required
Assuming the acl behavior is in use, there's no need to do anything as it automatically deletes acl records for aros/acos, which will also delete the permission records at the same time.
Related
Working on a SSO plugin and having issues for the SSO users. I have added them to a role that local users use but its not working. The issue I believe is that I do not have anything in the aros table, the lft and rght, for the SSO user. I believe this is why its not working but not sure. Could someone help me understand how I can generate those or just what they are used for? Most documentation is really limited. Thanks
The lft, rght values are for MPTT. If you don't have proper values for those fields CakePHP won't be able to properly traverse the records of table (using TreeBehavior).
Remove the records you added by hand and instead use ACL Shell to add the records.
In general TreeBehavior::recover() can be used to fix the lft, rght values.
I've inherited an app that makes heavy use of Cake's ACL -- a component I've never used -- and is configured such that 3 group AROs have access to an entire controller. ACOs exist for each action in the controller, but no permissions are explicitly assigned at the action level.
I've now run into a situation where I need one group to have access to one particular method, but I need to deny it for the other 2 groups. Is there any way to, rather than explicitly assigning permissions for each group to each action, simply indicate that the 2 groups do not have permissions to the one action in question?
Essentially, I want to keep the current "access to everything" default, but override that with a "deny for [this particular action]". I've tried cake bake acl deny GroupName ControllerName actionName, but that doesn't seem to have any impact.
By way of a fairly ubiquitous analogy, I'd like this to behave like Apache's AllowOverride. By default, allow everything to everyone, but deny a given action to a given group. I'm not sure whether that's helpful, but there it is.
Thanks.
This command will grant all your AROs access to your ACOs cake acl grant RootGroupName RootControllerName all.
Thereafter you can specify the particular actions you would like to deny access to: cake acl deny GroupName ControllerName|AcoActionName AcoActionName|permissions
If your second value after deny was an AcoActionName you would have to use one of the following values for permissions: all, create, read, update, delete.
A small tangent:
This is where I believe the confusion may lie. The structure of your
ACL [ACOs and AROs] are simply names of nodes that generally match the
structure of your controller/action setup, but can be called any name
your would like since the permissions are checked in each action. CakePHP ACLs organized in a
Tree (data structure) and the external nodes can have database level CRUD permissions set.
Here is a sample ACL schema for users and comments.
Aco tree:
---------------------------------------------------------------
[1] controllers (root node)
[2] Comments
[3] edit
[4] add
[5] delete
---------------------------------------------------------------
Aro tree:
---------------------------------------------------------------
[1] Groups (root node)
[2] Users
[3] Admin
---------------------------------------------------------------
Assuming access has been granted globally, all Requestors have access to all Objects. If you would like to deny Users from being able to edit comments once they have submitted them you would run cake acl deny Users Comments edit
Here is a great tutorial on ACLs, particularly the App_Controller code at the end which has a nice snippet that checks permissions for an ACO structure that matches controller/action: User Permissions and CakePHP ACL.
Additionally, the CakePHP Book has a nice snippet to insert all your controller/actions as ACO rules: An Automatic Tool for Creating ACOs
I (finally) got ACL to work properly, based on group permissions. However when I create a new user (Users/add) it automagically.. I mean.. autoinconveniently creates a User ARO..
While this is not really a big problem, I would like my ARO table to stay as clean as possible. Just my groups.
How do I disable the automatic creation of a User ARO object when creating a new user through CRUD?
i had the same problem and, like you, i said to myself "its not a big deal as long as it's working"... but when i started to have more and more users and when i added new groups, i found that ACL was not working correctly.. If you're using a group-based permissions, you MUST ONLY have groups in your AROS table.
Brief, the documentation says that you need to add the bindNode() in your Users model if you want a group-based ACL, but what they don't tell you is that for group-based permissions your User model doesn't have to implement the requester behavior and you don't need the parentNode() neither. Remove those two and it should be ok.
I added a note on the documentation, i hope it gets published :)
Good Luck
On the CakePHP website it shows that you would create a users table and a groups table for users and user groups using ACL: http://book.cakephp.org/view/1544/Preparing-our-Application
However most other tutorials e.g. NetTuts shows creating three tables (in addition to the users table) to use ACL: http://net.tutsplus.com/tutorials/php/how-to-use-cakephps-access-control-lists/
What is the difference between the two? Thanls
if you are asking about the extra tables named Acos,Aros and aros_acos
In both tutorial we need to use these tables.In the cakephp.org. there is a section called Initialize the Db Acl tables where they running a command to create those tables. where as in nettuts they showing us creating it manually.
Any way cakePHP need 5 tables to run the ACL perfectly.In that Acos,Aros and aros_acos are cakePHP defined tables and Users and Groups are user defined tables.
CakePHP is storing the User permissions as a Tree with Aros(Access Request Objects means users) hasAndBeongsToMany relation with Acos (Access Control Objects means actions)
I am using Acl in new web app.
in my app there are four groups of users.
I have given $this->Auth->authorize = 'actions' so that it will check the permission for actions automatically.
my problem is some of the actions such as change Password,edit profile,etc...
are common to all users.
But now i need to create each record for the permission of each users in acos_aros table.
this is too annoying
1) Is there any way to give permission to all types of users with a single allow statement?
2) Is there any way to allow and deny user by checking whether parameter is passed or not?
that means i need to give permission to pass parameter to an action for a specific user. If any other user pass the parameter and try to access the data i need to deny them.
whether row level access control can be done with ACL?
Any help will be appreciated.
Thankz in advance :)
If you put a $this->Auth->allow('action1','action2'...) into your beforeFilter() of the controller, access is granted to all users. If you need an ACL-only solution, you have to create a parent aco to which all other acos you want to allow are children. Then grant your users the rights on the parent.
The ACL plugin from the bakery could come in handy, if you already have your ACL tree structure.
For building the ACL tree structure the build_acl() script in the tutorial at the end of the cake-manual is useful.
Allowing to pass the parameter for all users and checking their role in the action is not an option?
the solution for the 2nd problem is here
but this is not implemented using ACL :(