Let's say I have User model and Post model. Post model contains field user_id.
User has $hasMany on Post and Post has $belongsTo on User.
I have some post edit action:
PostsController::edit($id) {
if($this->request->isPost())
{
$this->Post->id = $id;
$this->Post->save();
}
$post = $this->Post->read($id);
$this->set(compact('post'));
}
I use AuthComponent to login users.
How can I prevent user from editing some1 else post? Is there any cake build in function/option to do this? Because some1 can login and post edit action with any id. It's not even case of saving the post data - let's say post is private (only owner should see it) - when someone will call posts/edit/some_id it will see the edit form of this post...
The easier way is to just add this at the beginning of edit action:
$this->Post->id = $id;
if($this->Post->readField('user_id') != $this->Auth->user('id'))
{ //trigger error or redirect }
But I would have to add this at the beginning of each action that updates/reads any data that belongs to some user. So I am looking for more elegant way to do this.
Well an exact example ( handily using a Post/User model too ) is available in the cake manual
Everyones a winner!
Well there is no way of avoiding adding a line to check if a user is authorized to perform an action. Even if you use ACL (Access Control Lists), which is one of Cake's most powerful features.
But as you speak of elegance in general, ACLs will be beauty at its best :) Careful though, they've got a steep learning curve. Don't give up easy, its well worth it.
You should see ACLs from the Book http://book.cakephp.org/1.3/view/1543/Simple-Acl-controlled-Application
Related
i am a newbie in programming with cakephp, so i have implemented an simple user-game application. There is an "hasMany" relation between users and game. A game is created exactly by one user. Therefore there is a field in the model of game, named "user_id". I am already using the auth component and it is possible that user can login to the system. Now, i want that user can add games to the model, but the user_id should be added automatically( by acessing to session data). How i can achieve that ?
stannis :)
Now, i want that user can add games to the model, but the user_id should be added automatically( by acessing to session data). How i can achieve that ?
First, I highly recommend you to do the official blog tutorial, because it will cover questions like this for you.
In the controller:
public function add() {
if ($this->request->is('post') {
$this->request->data['Game']['user_id'] = $this->Auth->user('id');
$this->Game->save($this->request->data);
}
}
But this can and definitely should be done better by moving the logic into the model, remember: fat models, skinny controllers. Here is a broken down and short example:
// Controller
public function add() {
if ($this->request->is('post') {
$this->Game->add($this->Auth->user('id'), $this->request->data);
}
}
// Model
public function add($userId, $postData) {
$postData[$this->alias]['user_id'] = $userId;
return $this->save($this->request->data);
}
}
Usually you don't want to access the session directly in a model because it requires you to use a static or singleton call to the auth component or the session object, which we want to avoid as much as we can.
I have a website where all the pages are accessible to the public except for one Releases page which is user specific or maybe to a specific group .I have a seperate login page to gain access to 'Releases' page based on authentication.How do I go about this?Using Acl or Authorize function?I am very confused..Also do i need to use the same users table for authenticating this page, in that case do I use this User login page as an elemnt in my other login page.Could somebody please hint me on how to proceed?
ACL is overkill for many situations.
What I normally do is something like this in my controller:
public function releases() {
$this->_allowedGroups(array(1,2,3));
// rest of code here
}
Then in my app controller:
public function _allowedGroups($groups=array()) {
if( !in_array($this->Auth->user('group_id'), $groups) ) {
$this->redirect(array('controller'=>'users', 'action'=>'login'));
}
}
Acl should do your work.
And is there any specific need that you are using a separate login page??
A single login page and and a single users table should suffice your needs if you implement acl. Only those users who have rights to view the Requests page will be allowed to do so.
you may do something like this..
on core.php, put
Configure::write('Routing.prefixes', array('release'));
and do the verification on the AppController:
class AppController extends Controller{
public function beforeFilter(){
if (isset($this->params['prefix']) and $this->params['prefix'] == 'release'){
if ($this->Session->read("User.type") != 'admin'){
//redirect the user or throw an error...
}
}
}
}
so, youdomain.com/release/* will only be accesible by your administrators...
also, i don't see why you need two logins pages... you could just put a flag on your users table saying if the user is or not an admin... and on the login, set the User.type property on session.
if you don't need of complex permissions control, i think you don't need use ACL.
I have started learning cakePHP and now I am facing the following problem. How can allow my users to change their profile (their info in the DB).
This is my model -> http://bin.cakephp.org/view/798927304 I use these validations when someone tries to register .
This is my method for editing profiles: http://bin.cakephp.org/view/841227800
First I check does the user have the permission to edit this profile (is the profile his own).
Then get the desired id and try to save the request->data... But unfortunately without success.
And last this is my view -> http://bin.cakephp.org/view/1798312426
The only things I want to make are:
-Change their email (if they add new email)
-Change their social profiles (if the add them)
-Change their password (if they add it)
Can you guide me to do these things?
Thanks in advance!
Typically, when you call a save, as in:
$this->User->save($this->request->data)
The data in $this->request->data is cleared by default. In your edit method, you have an if statement below that is using the same save again.
The default functionality which I assume you have copied from a cakebaked edit method typically does the save and uses the returned logic to power that if statement. The second time you call it, you might be getting a false returned, which is likely skipping over that if statement.
To debug this, I suggest several of these in different locations:
debug($this->request->data);
Also, debug printouts are cleared on redirect, so in the mean time, you may want to comment out the redirect inside the if statement like so:
if ($this->User->save($this->request->data)) {
$this->Session->setFlash('Успешно променихте профила си.', 'success_message');
//$this->redirect(array('action' => 'profile'));
}
if($this->Auth->user() && $this->Auth->user('id') == $id) {
$this->User->read(null, $id);
$this->User->set(array(
'email' => $this->data['User']['email'],
'password' => $this->data['User']['password'],
'social_profile' => 'bla bla'
));
$this->User->save();
// etc
may do what you're after.
more # http://book.cakephp.org/view/1031/Saving-Your-Data
I have setup a CRUD area on my frontendAPI.php file (testing my models)... and I even managed to secure it. I would like to do this the proper way... I would like to establish a separate directory/ Page for the Admins. Please advise on this.
Still new at this but I'm trying to do the same for a news page, think i've got the login part working but having problems with the CRUD (will post a question on it shortly) - i have a table to populate with data from an rss feed (but will be manually populated with a CRUD to start with) and then have a page on the front end to pull out the details using views to format each news story.
Create a new directory called /page/Admin
Create a new file here based on the function e.g. news.php containing
class page_admin_news extends Page {
function init(){
parent::init();
$p=$this;
$crud=$p->add('CRUD');
$g=$crud->setModel('News');
if($crud->grid)
$crud->grid->addPaginator(30);
}
}
In Frontend.php, you need to enable the login - for an admin only access, the BasicAuth may be sufficient but there are also classes to use a database to obtain username and password infromation e.g. for a membership site - heres the basic one.
// If you wish to restrict access to your pages, use BasicAuth class
$auth=$this->add('BasicAuth')
->allow('demo','demo')
;
You need to modify Frontend.php to enable pages that can be viewed
without being logged in
$auth->allowPage('index');
$auth->allowPage('news');
$auth->allowPage('links');
$auth->allowPage('About');
if (!$auth->isPageAllowed($this->api->page))
{
$auth->check();
}
And also in Frontend.php, you need to create a different menu if logged in. Note the login and logout pages dont actually exist.
if ($auth->isLoggedIn())
{
$this->add('Menu',null,'Menu')
->addMenuitem('News','admin_news')
->addMenuitem('logout')
;
} else {
$this->add('Menu',null,'Menu')
->addMenuitem('News','news')
->addMenuitem('Links','links')
->addMenuItem('About')
->addMenuItem('Login')
;
}
When you login, it goes to page/index.php by default so if you want it to redirect to a particular page when you log in so you can add this to page/index.php
class page_index extends Page {
function init(){
parent::init();
$p=$this;
if($this->api->auth->isLoggedIn())
$this->api->redirect('admin_news');
Hope that helps.
Trev
I have problem with ACL. I read tutorial from here and here, and now I know how to add permission to some user/group to edit his profile, but then all users can edit each other profile. How I can set permission so user can edit just his own profile, not others, or can I somehow put this code in edit function:
function edit($id = null) {
if ($logedUserId != $id) {
// deny access
return;
}
// edit user
}
Assuming that you are using action-based access control (which it appears as though you are), then unless you have an action named after each profile (which would be completely wrong) you will have to do an additional check within the edit() method to ensure that the profile being edited belongs to the currently logged in user.
So you sort of answered your own question--correctly.