restricting aro scope in cakephp - cakephp

Ok, I'll preface this by saying i'm a noob to cake and ACL, and MVC architecture. I'm following a cakephp tutorial from its site, http://book.cakephp.org/2.0/en/tutorials-and-examples/simple-acl-controlled-application/part-two.html. I understand the content of the tutorial, but wonder about the easiest way to take this simple group based ACL to the next level. I've searched SO to no avail. So, on with the question.
Lets take a slightly modified version of the function in the above tutorial, for example. It simply sets up ARO permissions for ACOs.
There are many districts, and many departments, all with many users, in each.
relationships are as follows:
A district hasMany Departments -- one to many.
A district has many users, and users can potentially have many districts(so long as they belong to a dept in that district).
A department hasAnBelongsToMany Users -- many to many.
public function initDB() {
$group = $this->User->Group;
//Allow admins to everything
$group->id = 1;
$this->Acl->allow($group, 'controllers');
// issue 1) allow district managers to districts, departments, users
$group->id = 2;
$this->Acl->deny($group, 'controllers');
$this->Acl->allow($group, 'controllers/Districts');
$this->Acl->allow($group, 'controllers/Departments');
$this->Acl->allow($group, 'controllers/Users');
//issue 2) allow department managers to edit departments and users
$group->id = 3;
$this->Acl->deny($group, 'controllers');
$this->Acl->allow($group, 'controllers/Departments');
$this->Acl->allow($group, 'controllers/Users');
//we add an exit to avoid an ugly "missing views" error message
echo "all done";
exit;
}
Ok, so these permissions being set-up, although it's definitely convenient, really solve a small part of the problem. As it stands, I've really only prevented the department admins from performing district level functions. Both district admins and dept admins can perform user CRUD without restrictions
What i'd like to do, is limit the scope of each of the admin types USER CRUD to only those users residing within their department or district. for example, Department Admin Foo can't delete another Dept Admin's Users, and Dist Admin Bar can't change all of another Dist Admin's Users first names to nancy.
lol. I'm seriously at a loss with how to accomplish this.
I guess one approach would be get an administrators rank, dist admin for example, then figure out in which district he is a user. lastly, return all of the users in this district into a variable $userScope. Again, I am new to cake php and would be unsure of how to carry out the this proposal, even if it were a good idea and the best way to handle this. Any suggestions?? Thanks in advance!!!
edit: helpful answer, #nicolae.
however, it still seems that i could write a function that returns all users that any given admin(of any given aco) is permitted to edit. is seems this way to me because i'm assuming the admin, him/herself to be a part of the returned user base. for example, dist admin of dist 9, resides in dist 9; likewise, dept admin of dept 1, resides in dept 1.
could i write something like:
public getUserScope(){
$id = $this->Auth->user('id');
$dept = $this...
$dist = $this...
$access_level = $this->Session->read('Auth.User.group_id');
if($access_level == 3){
//get all users in this user's dept
} elseif($access_level == 2) {
//find all users in this user's dist
} elseif($access_level == 1) {
//find all users
}
}
ouch. granted all of the join tables involved in bringing this info together, this is bound to look like medusas hair when actually typed up. can you see my line of logic. this is a bit difficult for me to articulate. let me know if i should clarify anything further.

So you're trying to set up an ACL system that manages restrictions based on more than group ID and controller/action - you need department- and district-based restrictions.
As far as I know, the embedded ACL system in CakePHP can not manage this level of restrictions.
As a solution, I recommend you allow the users to the places they need to access (e.g. dept admins have ACL access to the user CRUD interface) and insert specific restrictions in the controller.
function editUserFromDepartment($userId = NULL) {
// Custom ACL check
if (! $this->__checkDepartmentByUserId($userId)) {
// Show the user a custom error message and redirect him to index page
}
// User editing code ...
}
function __checkDepartmentByUserId($userId) {
$dept = $this->Department->getByUserId($userId);
// Check if the current user belongs to this department
$currentUserDepartmentId = $this->Session->read('Auth.User.department_id');
return ($dept['Department']['id'] != $currentUserDepartmentId);
}
Good luck and let me know if my explanation was clear enough.
Nicolae
Edit (trying to answer to #Todd's edit):
I get your point.
Your code aims at obtaining all users of that the current user has access of.
Rather than that, I would have an event-based approach: when the user X tries to be edited, perform a query that finds if Auth.User is allowed to perform this action on user X.
E.g. You (Todd) are trying to edit my profile (NicolaeS) to change my employee ID, as my current one is wrong.
The function $this->getUserScope('user-ID-of-NicolaeS') will check if your department ID or district ID is the same as main and allow/disallow you to continue in your actions according to this check.
Does this look clear/straightforward enough?
Greets,
Nicolae

Related

Is there a way to assign a List to a field?

I know the question seems weird but hear me out...
Say I have a group of users called Managers.
List userList = [Manager1, Manager2,Manager3,...,ManagerN]
And I wanted to assign one of these managers to a record using a round robin which uses a modulus to determine the count.
integer count = 0;
integer userModulus = Math.round(Math.mod(Count, userList.size()));
count++;
Then use this value to return the index of the list like userList[userModulus] right?
Originally I planned to use custom metadata types to house the lists with the intent of managing these custom metadata lists by screen flow... but on implementation I don't see this being realistic.
Is there a way to store this list of users in a field, or some other kind of structure where it can be maintained by managers or other non-admin users?
There are code-free ways to do it, see https://help.salesforce.com/s/articleView?id=sf.essentials_round_robin_lead_assignment.htm&type=5
Or ready pieces of code you can get inspired with: https://gist.github.com/eskfung/f342b47ecc0849deb0cb
Many ways to achieve this. You could have a field on the User (picklist? checkbox? being assigned a special Role?) and then
List<User> users = [SELECT Id, Name
FROM User
WHERE IsActive = true AND UserRole.Name = 'Sales Manager'
ORDER BY Name];
Bit crude but should get the job done.
You could also add them to a public group or queue? Queues should be pretty close to normal owner assignment functionality anyway. And then you'd query all group/queue members. Queues are a type of group so it'd sit in same table: Group, GroupMember
SELECT Id, Name, Type
FROM Group
WHERE Type IN ('Regular', 'Queue')
SELECT Id, Name
FROM User
WHERE Id IN (SELECT UserOrGroupId FROM GroupMember WHERE Group.Name = 'MyGroup' AND Group.Type = 'Regular')
It's bit simple, it assumes people are directly assigned to the group. In reality groups/queues often consist of other groups, roles, roles+subordinates, not just manually assigned individuals... You'd need to keep querying the GroupMember records till you exhaust the tree.
Still, should be enough to get you started?

Drupal 7: Using Rules to add user to OG then assign OG role

The idea is to accomplish the following when a new user is added:
Create a new group (OG)
Save it
Add user to saved group (OG)
Assign group role (OG)
I am using Rules with Organic Groups. All is fine apart from assigning the group role. I know you can add general system roles but does anyone know how to assign a group (OG) role programmaticaly so it happens automagically?
Any help much appreciated
I use the following custom php action on a rule, to add user to group and assign OG role.
OG role numbers appear to be in order of OG roles, as viewed through admin/config OG entries.
global $user;
// Load the user we want to add to the group
$account = user_load($user->uid);
// Add the user to the group - hard code group 18 which is my group as cant
// get PID from Ubercart order, to pull gid from nid. User, current user, active,
// etc., all default in 2nd array() param to og_group.
og_group(18);
// Changes the users role in the group (1 = non-member, 2 = member, 3 = administrator member, 4 = Forum Administrator)
og_role_grant(18, $account->uid, 2);
Note, OG role 4 (forum administrator) is a custom OG role I created. Also, 'member' (2) is the default, I believe, but I put this in so I'd remember how to allocate other OG roles if I needed to in future.
I'm not a php guru unfortunately, and I still havent worked out how to pull the pid from the node of the Ubercart product ordered so I can get its gid and hence not hard code the gid of 18.
Hope the above code snipped (og_role_grant mainly) works for you as a rule action custom php code snippet (remember not to include the php tags at top and bottom as rules does this for you).
If you have any thoughts on my problem of getting the gid of the ordered ubercart product, as above, please feel free to share. :)
Best wishes
There is a proposed Organic Group patch that add this functionality to the Organic Group Rules integration.
You can find the patch here: https://drupal.org/node/1327326
It adds Grant and Revoke role actions.
You can use og_role_grant($group_type, $gid, $uid, $rid) to assign a role to a user into an organic group programmatically.
To use this with rules, you can define a custom action using hook_rules_action_info() .

CakePHP Access Allocation on Role Based specific Data Access

My project requirement is something like this:
On Top, there will be Administrator, who will have all d access, first level
Under Administrator, there will be Department Heads, who will have all d access, apart from Creating Department Heads
Under Department Head, there will Other Members, who will be managing their allocated department wise data.
Now, all different department heads will have their own information and members, and all department heads / Members will have access to their own specific records, which they are entering / managing.
Now, with CakePHP's ACL Component, I can divide the roles and their access level, but all department heads can see the other department head's information, as they will have same level of access, and All Other Members can see the other members information on diff departments, as of they will have same level of access.
My project complexity is that - they should be visible only their assigned or created information / data, though they have same level / role assignments as of others.
Can anyone suggest me best suitable option, to manage all these things with already available plug-ins with CakePHP.
I can work by customizing the default ACL Component, but that will take some more amount of time, than what is expected.
Any better ideas / suggestions would be appreciated !
the way i see it, ACL is not that magical. For exemple: ACL could manage the permissions to tell who has access to add/edit/remove a product.. but it wont be able to change a query to filter the products accordingly to the defined permissions (like "users from department A can only see products from department A").. well actually that's a lie, ACL could manage that but it might not be practical, because every time you add a product you'd have to create an ACO, and set the permission in the AROS_ACOS table and since the AROS is a tree structure, so it could easily become a nigthmare, if your planning to query your data
I'd use a group-only ACL to control the access to certain pages/actions and make rules like:
"Department Head can access the page
'products list' and add/delete/modify
products"
"Administrators can access
all pages"
"Other users can access
'products list' and they can add
products but not delete them"
and i'd adjust my queries accordingly to the connected user, so in the controller of 'products list' page, i'd do something like:
If connected user blongs to Department Head then select all products where product.department_id=connected_user.department_id
If connected user is Admin then select all products
if you have too much queries and you dont want to do thousands of if's sentences, you could create a component, a behavior or maybe extend the find() method in the app_model. The idea is to catch all queries and check if one of the models used on the query have field called "department_id", if they do then add the model.department_id=connected_user.department_id condition to the query.
I did that for one website that can be seen in multiple languages and each language has it's own users, data, logs, etc., and there's one Admin that can see all the info.. and it's working great for me =)
Good Luck!
EDITED:
the behavior i use is:
<?php
class LocalizableBehavior extends ModelBehavior {
/**
* Filter query conditions with the correct `type' field condition.
*/
function beforeFind(&$model, $query)
{
/**
* Condition for the paginators that uses joins
*/
if(isset($query['joins']) && !empty($query['joins'])){
foreach($query['joins'] as $key => $joinTable){
if(ClassRegistry::init($joinTable['alias'])->hasField('lang')){
$query['joins'][$key]['conditions'][] = $joinTable['alias'].".lang = '".$_SESSION['lang']."'";
}
}
}
/**
* condition for the normal find queries
*/
if($model->hasField('lang') && $model->name != "User"){
$query['conditions'][$model->name.'.lang'] = $_SESSION['lang'];
}
return $query;
}
}
?>
it's quite simple really, i change the query to add a condition to match to the current language ($_SESSION['lang']). In the controller all i need to do is to attach the LocalizableBehavior and use find method as usual:
$this->Products->find('all');

Select distinct users with referrals

I have a bunch of Users. Since Django doesn't really let me extend the default User model, they each have Profiles. The Profiles have a referred_by field (a FK to User). I'm trying to get a list of Users with >= 1 referral. Here's what I've got so far
Profile.objects.filter(referred_by__isnull=False).values_list('referred_by', flat=True)
Which gives me a list of IDs of the users who have referrals... but I need it to be distinct, and I want the User object, not their ID.
Or better yet, it would be nice if it could return the number of referrals a user has.
Any ideas?
Took me a long time to wrap my head around this, but I think I finally got it figured out:
affiliates = User.objects.annotate(num_referrals=Count('referrals')).filter(num_referrals__gt=0)
I didn't think I'd be able to use the reverse relationship
referred_by = models.ForeignKey(User, null=True, blank=True, related_name='referrals')
in Count(), nor did I think you could use the annotated value in the filter... that's pretty cool. I still wish you could use GROUP BY without having to annotate stuff (assuming I didn't need the count).

LDAP query for all users in sub OUs within a particular OU

The active directory I have to deal with is laid out as such: the domain contains many OUs. One of these OUs is named "Primary OU". Within this OU are several OUs named with location of global offices (ie "Chicago" "Paris").
Any user account that is an actual flesh and bone person is put into the OU named for the office they work in as their primary OU. Any user account that is an alias, generic account, or otherwise not directly tied to a real person, has the "Primary OU" OU set as their primary OU.
Data-wise, this primary OU distinction is the only thing that indicates which users are real people, and which users are not. There is no group that contains only real people, no indicator in any field that they are real people or not, and making any changes to active directory or any user accounts is strictly forbidden.
My task is writing a query that will only get all actual flesh and bone people.
Unfortunately LDAP is not exactly my strong suit and the only way I've come up with is searching each of these office sub OUs individually and putting all the results together, but there are a lot of offices and it would require a change to the query if any offices were added, which I need to avoid.
Is there a way to query all users within a particular OU's "sub" OUs, but not return any users directly in the parent OU?
Yes, sure - you would need to:
1) Bind to the particular OU
DirectoryEntry myOU = new DirectoryEntry("LDAP://OU=MyOU,......,DC=MyCompany,DC=com");
2) Enumerate all its sub-OU's
DirectorySearcher subOUsearcher = new DirectorySearcher(myOU);
subOUsearcher.SearchScope = SearchScope.OneLevel; // don't recurse down
subOUsearcher.Filter = "(objectClass=organizationalUnit)";
foreach(SearchResult subOU in subOUsearcher.FindAll())
{
// stick those Sub OU's into a list and then handle them
}
3) One-by-one enumerate all the users in each of the sub-OU's and stick them into a global list of users
DirectorySearcher userSearcher = new DirectorySearcher(myCurrentSubOu);
userSearcher.SearchScope = SearchScope.OneLevel; // don't recurse down
userSearcher.Filter = "(objectClass=user)";
foreach(SearchResult user in userSearcher.FindAll())
{
// stick those users into a list being built up
}
4) Return that list
Marc
// Create a new DirectorySearcher that starts at the root.
// You can start it anywhere you want though
// by providing a value in the DirectoryEntry constructor.
DirectorySearcher searcher = new DirectorySearcher(new DirectoryEntry());
// Set the scope to Subtree in order to search all children.
searcher.SearchScope = SearchScope.Subtree;
// Set the filter to only look for Organizational Units
// that have the name you are looking for.
searcher.Filter = "(&(objectClass=organizationalUnit)(name=" + ouName + "))";
// If you are looking for only one result then do the following two things.
SearchResult result = searcher.FindOne();
DirectoryEntry newDir = result.GetDirectoryEntry();

Resources