I (finally) got ACL to work properly, based on group permissions. However when I create a new user (Users/add) it automagically.. I mean.. autoinconveniently creates a User ARO..
While this is not really a big problem, I would like my ARO table to stay as clean as possible. Just my groups.
How do I disable the automatic creation of a User ARO object when creating a new user through CRUD?
i had the same problem and, like you, i said to myself "its not a big deal as long as it's working"... but when i started to have more and more users and when i added new groups, i found that ACL was not working correctly.. If you're using a group-based permissions, you MUST ONLY have groups in your AROS table.
Brief, the documentation says that you need to add the bindNode() in your Users model if you want a group-based ACL, but what they don't tell you is that for group-based permissions your User model doesn't have to implement the requester behavior and you don't need the parentNode() neither. Remove those two and it should be ok.
I added a note on the documentation, i hope it gets published :)
Good Luck
Related
I've got a simple ARO/ACO set up with simply all my users as AROs and all my Modules as ACOs and the ARO_ACOs table holds the permission rights.
This works great, except when I delete a User, I'd like to be able to clean up the ARO_ACOs and ARO tables by removing any entries associated with the ARO related to the user.
How do I go about this? The documentation is not helpful at all!
Using the ACL behavior? No action required
Assuming the acl behavior is in use, there's no need to do anything as it automatically deletes acl records for aros/acos, which will also delete the permission records at the same time.
I am writing a visualforce page that amoung other things allows creation of Queues. However I want to control whether the section is displayed depending on whether the user has the permissions required.
According to the docs: Creating Queues the user needs to have both permissions:
"Customize Application"
"Manage Public List Views"
I am querying the profile like so:
Profile profile = [
SELECT
PermissionsCustomizeApplication
//Was expecting: PermissionsManagePublicListViews
FROM
Profile
WHERE
Id = :UserInfo.getProfileId()];
However my problem is that I don't think the "Manage Public List Views" permission is exposed on the Profile object. Is the api name so different I am missing it? Does anyone know how to check for this permission in code?
I'm not sure about the name of the permission, but you could run an method to try and insert (and then delete!) a queue in an init method or similar, if it success then you know they have all of the relevant permissions required.
The snag here of course, is you may not want them to be able to delete queues (I'm assuming they work in the manner of the other objects in the system with respect to CRUD operations).
You cannot check for these permissions in code, and Lancey Snr's suggestion is probably the easiest work around. However, I personally don't like the idea of checking permissions by creating and deleting objects in the constructor.
I'd instead create a custom setting to track the Profiles (maybe as plain text) that are allowed to create profiles. The advantage of custom settings is that the administrator can update the custom setting when a new profile is created or an old one is deleted, or the permissions have been re-configured.
Use the custom setting in conjunction with the "with sharing" keyword in the controller code, and you can ensure that users who don't have permission to create Queues, won't be be able to create it.
Anup
I've decided to limit it just to people with the "Customise Application" profile option.
The reason being that this is the important profile option. The only reason people need the public list views options is because a new view is created for each new queue.
As I have discovered there is no crud security on the queue object in apex code. So restricting queue creation only to users with "Customise Application" seems like the safest and most flexible course of action.
I'm using CakePHPs ACL to handle user permissions.
When a user creates a, lets say Post, I automatically create an ACO for that post, and allow the user to access it.
But, if I would like to change the user later on so that a different user "takes over" the ownership of the post, what would I do in the ACL?
Is there a delete/remove ACL function I can use to remove rows, and the add the new relationship?
I thought about using deny on the old user, and then allow all on the new one, but it would be messy if the parent group has both allow/deny in the structure.
Are there any alternatives, other than using manual sql queries?
I am building a simple website that needs 3 user levels (member, mod, admin) and am currently using ACL that sets permission on a per-group basis. Now, this is all working out fine, but I am wondering if it would not be better to just have a role column in the users table that would contain a tinyint and go with that.
Why I am considering this is the following. Say I wanted to have an "admin bar" on the top of the page, I'd have to check in which group the user is, but group names can change and are not static, the role column would be. This raises the question, is ACL suited for websites that have such a simple permissions scheme?
Funny - I just recently wrote a simple Auth for scenarios like that - I called it "Tiny": http://www.dereuromark.de/2011/12/18/tinyauth-the-fastest-and-easiest-authorization-for-cake2/
It should be pretty much exactly just about what you need.
It does need the roles to be present in the Session Auth, though and that you manage user roles yourself. So you might have to add this to your login method if you want to use multi role Auth.
As you said - the core one is way to powerful and a real overkill for simple use cases.
Just one thing: call the field "role_id" and not "role".
This is what i use http://bakery.cakephp.org/articles/watermark86/2010/09/23/user-permissions-based-on-a-routing-prefix
Though acl is the right way but for small/simple cases like urs you can use this
I've been diving into CakePHP this year and I'm loving it! However, I've just run across a problem that I'm not sure how to handle. My database design is this--
USER can belong to one or more WEBSITE
A WEBSITE can have many USER
So I have a many-to-many relationship which is tracked in MEMBERSHIP
MEMBERSHIP also tracks what group_id the USER has for that WEBSITE.
For example, if user1 joins website3 as an administrator and website5 as a editor, then the MEMBERSHIP table has an entry reflecting both those roles.
Basically my problem is Cake's ACL. In the above-mentioned model, user1's group_id would change depending on which WEBSITE he's selected after logging in. (And he could subsequently change to even more websites within the dashboard by changing the group_id again and again). Cake's ACL appears to only handle 'user belongs to one group' period.
Can I trick the ACL by giving it the group_id from the session every time its changed and then reload the AROs? Would it make more sense to scrap ACL and create my own permissions module?
Any suggestions or ideas to point me in the right direction would be GREATLY appreciated!
i think it will be the best way to create your own permission module.
the reasons are quite simple:
you can modify/extend it in any way YOU want
you will not break any cakePHP specifications