CakePHP Access Allocation on Role Based specific Data Access - cakephp

My project requirement is something like this:
On Top, there will be Administrator, who will have all d access, first level
Under Administrator, there will be Department Heads, who will have all d access, apart from Creating Department Heads
Under Department Head, there will Other Members, who will be managing their allocated department wise data.
Now, all different department heads will have their own information and members, and all department heads / Members will have access to their own specific records, which they are entering / managing.
Now, with CakePHP's ACL Component, I can divide the roles and their access level, but all department heads can see the other department head's information, as they will have same level of access, and All Other Members can see the other members information on diff departments, as of they will have same level of access.
My project complexity is that - they should be visible only their assigned or created information / data, though they have same level / role assignments as of others.
Can anyone suggest me best suitable option, to manage all these things with already available plug-ins with CakePHP.
I can work by customizing the default ACL Component, but that will take some more amount of time, than what is expected.
Any better ideas / suggestions would be appreciated !

the way i see it, ACL is not that magical. For exemple: ACL could manage the permissions to tell who has access to add/edit/remove a product.. but it wont be able to change a query to filter the products accordingly to the defined permissions (like "users from department A can only see products from department A").. well actually that's a lie, ACL could manage that but it might not be practical, because every time you add a product you'd have to create an ACO, and set the permission in the AROS_ACOS table and since the AROS is a tree structure, so it could easily become a nigthmare, if your planning to query your data
I'd use a group-only ACL to control the access to certain pages/actions and make rules like:
"Department Head can access the page
'products list' and add/delete/modify
products"
"Administrators can access
all pages"
"Other users can access
'products list' and they can add
products but not delete them"
and i'd adjust my queries accordingly to the connected user, so in the controller of 'products list' page, i'd do something like:
If connected user blongs to Department Head then select all products where product.department_id=connected_user.department_id
If connected user is Admin then select all products
if you have too much queries and you dont want to do thousands of if's sentences, you could create a component, a behavior or maybe extend the find() method in the app_model. The idea is to catch all queries and check if one of the models used on the query have field called "department_id", if they do then add the model.department_id=connected_user.department_id condition to the query.
I did that for one website that can be seen in multiple languages and each language has it's own users, data, logs, etc., and there's one Admin that can see all the info.. and it's working great for me =)
Good Luck!
EDITED:
the behavior i use is:
<?php
class LocalizableBehavior extends ModelBehavior {
/**
* Filter query conditions with the correct `type' field condition.
*/
function beforeFind(&$model, $query)
{
/**
* Condition for the paginators that uses joins
*/
if(isset($query['joins']) && !empty($query['joins'])){
foreach($query['joins'] as $key => $joinTable){
if(ClassRegistry::init($joinTable['alias'])->hasField('lang')){
$query['joins'][$key]['conditions'][] = $joinTable['alias'].".lang = '".$_SESSION['lang']."'";
}
}
}
/**
* condition for the normal find queries
*/
if($model->hasField('lang') && $model->name != "User"){
$query['conditions'][$model->name.'.lang'] = $_SESSION['lang'];
}
return $query;
}
}
?>
it's quite simple really, i change the query to add a condition to match to the current language ($_SESSION['lang']). In the controller all i need to do is to attach the LocalizableBehavior and use find method as usual:
$this->Products->find('all');

Related

Is there a way to assign a List to a field?

I know the question seems weird but hear me out...
Say I have a group of users called Managers.
List userList = [Manager1, Manager2,Manager3,...,ManagerN]
And I wanted to assign one of these managers to a record using a round robin which uses a modulus to determine the count.
integer count = 0;
integer userModulus = Math.round(Math.mod(Count, userList.size()));
count++;
Then use this value to return the index of the list like userList[userModulus] right?
Originally I planned to use custom metadata types to house the lists with the intent of managing these custom metadata lists by screen flow... but on implementation I don't see this being realistic.
Is there a way to store this list of users in a field, or some other kind of structure where it can be maintained by managers or other non-admin users?
There are code-free ways to do it, see https://help.salesforce.com/s/articleView?id=sf.essentials_round_robin_lead_assignment.htm&type=5
Or ready pieces of code you can get inspired with: https://gist.github.com/eskfung/f342b47ecc0849deb0cb
Many ways to achieve this. You could have a field on the User (picklist? checkbox? being assigned a special Role?) and then
List<User> users = [SELECT Id, Name
FROM User
WHERE IsActive = true AND UserRole.Name = 'Sales Manager'
ORDER BY Name];
Bit crude but should get the job done.
You could also add them to a public group or queue? Queues should be pretty close to normal owner assignment functionality anyway. And then you'd query all group/queue members. Queues are a type of group so it'd sit in same table: Group, GroupMember
SELECT Id, Name, Type
FROM Group
WHERE Type IN ('Regular', 'Queue')
SELECT Id, Name
FROM User
WHERE Id IN (SELECT UserOrGroupId FROM GroupMember WHERE Group.Name = 'MyGroup' AND Group.Type = 'Regular')
It's bit simple, it assumes people are directly assigned to the group. In reality groups/queues often consist of other groups, roles, roles+subordinates, not just manually assigned individuals... You'd need to keep querying the GroupMember records till you exhaust the tree.
Still, should be enough to get you started?

restricting aro scope in cakephp

Ok, I'll preface this by saying i'm a noob to cake and ACL, and MVC architecture. I'm following a cakephp tutorial from its site, http://book.cakephp.org/2.0/en/tutorials-and-examples/simple-acl-controlled-application/part-two.html. I understand the content of the tutorial, but wonder about the easiest way to take this simple group based ACL to the next level. I've searched SO to no avail. So, on with the question.
Lets take a slightly modified version of the function in the above tutorial, for example. It simply sets up ARO permissions for ACOs.
There are many districts, and many departments, all with many users, in each.
relationships are as follows:
A district hasMany Departments -- one to many.
A district has many users, and users can potentially have many districts(so long as they belong to a dept in that district).
A department hasAnBelongsToMany Users -- many to many.
public function initDB() {
$group = $this->User->Group;
//Allow admins to everything
$group->id = 1;
$this->Acl->allow($group, 'controllers');
// issue 1) allow district managers to districts, departments, users
$group->id = 2;
$this->Acl->deny($group, 'controllers');
$this->Acl->allow($group, 'controllers/Districts');
$this->Acl->allow($group, 'controllers/Departments');
$this->Acl->allow($group, 'controllers/Users');
//issue 2) allow department managers to edit departments and users
$group->id = 3;
$this->Acl->deny($group, 'controllers');
$this->Acl->allow($group, 'controllers/Departments');
$this->Acl->allow($group, 'controllers/Users');
//we add an exit to avoid an ugly "missing views" error message
echo "all done";
exit;
}
Ok, so these permissions being set-up, although it's definitely convenient, really solve a small part of the problem. As it stands, I've really only prevented the department admins from performing district level functions. Both district admins and dept admins can perform user CRUD without restrictions
What i'd like to do, is limit the scope of each of the admin types USER CRUD to only those users residing within their department or district. for example, Department Admin Foo can't delete another Dept Admin's Users, and Dist Admin Bar can't change all of another Dist Admin's Users first names to nancy.
lol. I'm seriously at a loss with how to accomplish this.
I guess one approach would be get an administrators rank, dist admin for example, then figure out in which district he is a user. lastly, return all of the users in this district into a variable $userScope. Again, I am new to cake php and would be unsure of how to carry out the this proposal, even if it were a good idea and the best way to handle this. Any suggestions?? Thanks in advance!!!
edit: helpful answer, #nicolae.
however, it still seems that i could write a function that returns all users that any given admin(of any given aco) is permitted to edit. is seems this way to me because i'm assuming the admin, him/herself to be a part of the returned user base. for example, dist admin of dist 9, resides in dist 9; likewise, dept admin of dept 1, resides in dept 1.
could i write something like:
public getUserScope(){
$id = $this->Auth->user('id');
$dept = $this...
$dist = $this...
$access_level = $this->Session->read('Auth.User.group_id');
if($access_level == 3){
//get all users in this user's dept
} elseif($access_level == 2) {
//find all users in this user's dist
} elseif($access_level == 1) {
//find all users
}
}
ouch. granted all of the join tables involved in bringing this info together, this is bound to look like medusas hair when actually typed up. can you see my line of logic. this is a bit difficult for me to articulate. let me know if i should clarify anything further.
So you're trying to set up an ACL system that manages restrictions based on more than group ID and controller/action - you need department- and district-based restrictions.
As far as I know, the embedded ACL system in CakePHP can not manage this level of restrictions.
As a solution, I recommend you allow the users to the places they need to access (e.g. dept admins have ACL access to the user CRUD interface) and insert specific restrictions in the controller.
function editUserFromDepartment($userId = NULL) {
// Custom ACL check
if (! $this->__checkDepartmentByUserId($userId)) {
// Show the user a custom error message and redirect him to index page
}
// User editing code ...
}
function __checkDepartmentByUserId($userId) {
$dept = $this->Department->getByUserId($userId);
// Check if the current user belongs to this department
$currentUserDepartmentId = $this->Session->read('Auth.User.department_id');
return ($dept['Department']['id'] != $currentUserDepartmentId);
}
Good luck and let me know if my explanation was clear enough.
Nicolae
Edit (trying to answer to #Todd's edit):
I get your point.
Your code aims at obtaining all users of that the current user has access of.
Rather than that, I would have an event-based approach: when the user X tries to be edited, perform a query that finds if Auth.User is allowed to perform this action on user X.
E.g. You (Todd) are trying to edit my profile (NicolaeS) to change my employee ID, as my current one is wrong.
The function $this->getUserScope('user-ID-of-NicolaeS') will check if your department ID or district ID is the same as main and allow/disallow you to continue in your actions according to this check.
Does this look clear/straightforward enough?
Greets,
Nicolae

pull Drupal field values with db_query() or db_select()

I've created a content type in Drupal 7 with 5 or 6 fields. Now I want to use a function to query them in a hook_view call back. I thought I would query the node table but all I get back are the nid and title. How do I get back the values for my created fields using the database abstraction API?
Drupal stores the fields in other tables and can automatically join them in. The storage varies depending on how the field is configured so the easiest way to access them is by using an EntityFieldQuery. It'll handle the complexity of joining all your fields in. There's some good examples of how to use it here: http://drupal.org/node/1343708
But if you're working in hook_view, you should already be able access the values, they're loaded into the $node object that's passed in as a parameter. Try running:
debug($node);
In your hook and you should see all the properties.
If you already known the ID of the nodes (nid) you want to load, you should use the node_load_multiple() to load them. This will load the complete need with all fields value. To search the node id, EntityFieldQuery is the recommended way but it has some limitations. You can also use the database API to query the node table for the nid (and revision ID, vid) of your nodes, then load them using node_load_multiple().
Loading a complete load can have performance impacts since it will load way more data than what you need. If this prove to be an issue, you can either try do directly access to field storage tables (if your fields values are stored in your SQL database). The schema of these tables is buld dynamicaly depedning on the fields types, cardinality and other settings. You will have to dig into your database schema to figure it out. And it will probably change as soon as you change something on your fields.
Another solution, is to build stub node entities and to use field_attach_load() with a $options['field_id'] value to only load the value of a specific field. But this require a good knowledge and understanding of the Field API.
See How to use EntityFieldQuery article in Drupal Community Documentation.
Creating A Query
Here is a basic query looking for all articles with a photo that are
tagged as a particular faculty member and published this year. In the
last 5 lines of the code below, the $result variable is populated with
an associative array with the first key being the entity type and the
second key being the entity id (e.g., $result['node'][12322] = partial
node data). Note the $result won't have the 'node' key when it's
empty, thus the check using isset, this is explained here.
Example:
<?php
$query = new EntityFieldQuery();
$query->entityCondition('entity_type', 'node')
->entityCondition('bundle', 'article')
->propertyCondition('status', 1)
->fieldCondition('field_news_types', 'value', 'spotlight', '=')
->fieldCondition('field_photo', 'fid', 'NULL', '!=')
->fieldCondition('field_faculty_tag', 'tid', $value)
->fieldCondition('field_news_publishdate', 'value', $year. '%', 'like')
->fieldOrderBy('field_photo', 'fid', 'DESC')
->range(0, 10)
->addMetaData('account', user_load(1)); // Run the query as user 1.
$result = $query->execute();
if (isset($result['node'])) {
$news_items_nids = array_keys($result['node']);
$news_items = entity_load('node', $news_items_nids);
}
?>
Other resources
EntityFieldQuery on api.drupal.org
Building Energy.gov without Views

Running a large IN query (searching for users with an ID list) on GAE

I am trying to detect, after a user registers, which friends from Facebook have already registered for my service. My current implementation is very CPU intensive:
for eachFriend in facebookFriends:
friendUser = User.get_by_key_name(eachFriend['id'])
if friendUser:
friendUsers.append(friendUser)
I tried optimizing the query by using the IN operator:
users = User.all().filter('id IN', idList).fetch(10) # the idList is the list of IDs for a users facebook friends
This method fails as the maximum subqueries of the IN operator is 30.
Any tips?
Using an IN operator actually makes your query less efficient: Instead of doing a fast get operation for each friend, you're doing a slow query operation (IN and != filters are broken out into multiple queries on the backend).
Instead, do a single batch fetch for all the matching suers:
friendUsers = User.get_by_key_name([x['id'] for x in facebookFriends])
This returns a list of all friends, with None values for any friends that don't yet exist.
Yeah, you can have each registered user store his friends in a ListProperty so that when I register, you can do an = query on that property to see who has me as a friend. = queries on ListProperties return all entities having the filtered-on value anywhere in the list, and they don't generate subqueries the way IN queries do.
Just be aware of per-entity index limits if some of your users have tons of friends.

Select distinct users with referrals

I have a bunch of Users. Since Django doesn't really let me extend the default User model, they each have Profiles. The Profiles have a referred_by field (a FK to User). I'm trying to get a list of Users with >= 1 referral. Here's what I've got so far
Profile.objects.filter(referred_by__isnull=False).values_list('referred_by', flat=True)
Which gives me a list of IDs of the users who have referrals... but I need it to be distinct, and I want the User object, not their ID.
Or better yet, it would be nice if it could return the number of referrals a user has.
Any ideas?
Took me a long time to wrap my head around this, but I think I finally got it figured out:
affiliates = User.objects.annotate(num_referrals=Count('referrals')).filter(num_referrals__gt=0)
I didn't think I'd be able to use the reverse relationship
referred_by = models.ForeignKey(User, null=True, blank=True, related_name='referrals')
in Count(), nor did I think you could use the annotated value in the filter... that's pretty cool. I still wish you could use GROUP BY without having to annotate stuff (assuming I didn't need the count).

Resources