dran0703 2015-10-15 06:45
浏览 55
已采纳

CakePHP 2.x ACL - 在所有者级别进行控制

I am able to control my application using ACL, everything done perfectly and application is working smooth with ACL and Auth.

Now the problem is:

I have two tables, users and posts. there is no RBAC (role based access control). I am setting deny and allow for each user like follow.

//allow User1 to do everything
$user->id=1;
$this->ACL->allow($user,'controllers');

//allow User2 to add, edit and view the posts 
$user->id=2;
$this->Acl->deny($user, 'controllers');
$this->Acl->allow($user, 'controllers/Posts');

but here I am getting one problem:

user2 is getting access to edit the posts of user1.

example:

User1 created a post1.

now User2 logged in now he can edit the User1's post (i.e. post1- /localhost/myApp/posts/edit/1)

Question: How can I set ACL permission to this problem, The owner of the post can only edit the post and others can not.

I can achieve this in controller level simply checking 

if($_SESSION['Auth']['User']['id'] == $Post['Post']['user_id']){
    // you're the owner, so u can edit
}else{
    //u cant edit, this is not ur post
}

but I need ACL to work here, Is it possible?, Please help

Thanks

  • 写回答

1条回答 默认 最新

  • doujia4619 2015-10-19 07:47
    关注

    here's how I would do

    first of all tell Cake that Post model is an ACO 

     // Post.php model file
 $actsAs = array('Acl' => array('type' => 'controlled'));

    this way every time you create a new post cake will automatically create an item in the acos table.

    pay attention: you'll have to manually create the node for the previously created Posts, this way:

    // for every Post in your posts table

$this->Acl->Aco->create(array('alias' => 'Post', 'id' => 123));
$this->Acl->Aco->save();

    then you have to define a parentNode() function in your Post Model file

    // Post.php model file
public function parentNode() {
    return null;
}

    Now the ACL auth handler check form permission just at an action level. In other words it just checks that you're allowed to access the action. Then it demands other checks at a controller level by the isAuthorized() function.

    so first you have to set the permission for every node

    $this->Acl->allow($user, 'controllers/Posts/edit/123')

    then in your controller you have to do

     // PostsController.php 
 public function isAuthorized($user = null) {

    if ($this->request->action === 'edit') {
        $user = // retrieve the user array. i.e. from Session
        $post_id = $this->request->$this->request->pass[0];
        $post = array('alias' => 'Post', 'id' => $post_id );
        return this->Acl->check($user, $post);
    }
    return parent::isAuthorized($user);
}

    you can also implement parentNode() function to return the owner of the Post instead of null

    // Post.php model file

// just an hint, the actual code should be 
// a bit more complex
public function parentNode() {
    $user_id = $this->field('user_id');
    return array('User' => array('id' => $user_id));
}

    this way don't have to set the permission for every single post because cake will check if the user has access to the parent node of the Post (who is a user too). So you just have to set the permission for every user

    $this->Acl->allow($user, $user);

    If you follow this method remember to set the user as an ACO too

    // User.php Model file

$actsAs = array('Acl' => array('type' => 'both'));

    I did not test the code above so I guess there are a lot of typos and errors too. If I have time i'll do some tests and improve my answer in the next days

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
  • ¥15 Oracle触发器记录修改前后的字段值
  • ¥100 为什么这个恒流源电路不能恒流?
  • ¥15 有偿求跨组件数据流路径图
  • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值
  • ¥15 我想咨询一下路面纹理三维点云数据处理的一些问题,上传的坐标文件里是怎么对无序点进行编号的,以及xy坐标在处理的时候是进行整体模型分片处理的吗
  • ¥15 CSAPPattacklab
  • ¥15 一直显示正在等待HID—ISP
  • ¥15 Python turtle 画图
  • ¥15 stm32开发clion时遇到的编译问题