dran0703 2015-10-15 06:45
浏览 55
已采纳

CakePHP 2.x ACL - 在所有者级别进行控制

I am able to control my application using ACL, everything done perfectly and application is working smooth with ACL and Auth.

Now the problem is:

I have two tables, users and posts. there is no RBAC (role based access control). I am setting deny and allow for each user like follow.

//allow User1 to do everything
$user->id=1;
$this->ACL->allow($user,'controllers');

//allow User2 to add, edit and view the posts 
$user->id=2;
$this->Acl->deny($user, 'controllers');
$this->Acl->allow($user, 'controllers/Posts');

but here I am getting one problem:

user2 is getting access to edit the posts of user1.

example:

User1 created a post1.

now User2 logged in now he can edit the User1's post (i.e. post1- /localhost/myApp/posts/edit/1)

Question: How can I set ACL permission to this problem, The owner of the post can only edit the post and others can not.

I can achieve this in controller level simply checking 

if($_SESSION['Auth']['User']['id'] == $Post['Post']['user_id']){
    // you're the owner, so u can edit
}else{
    //u cant edit, this is not ur post
}

but I need ACL to work here, Is it possible?, Please help

Thanks

  • 写回答

1条回答

  • doujia4619 2015-10-19 07:47
    关注

    here's how I would do

    first of all tell Cake that Post model is an ACO 

     // Post.php model file
 $actsAs = array('Acl' => array('type' => 'controlled'));

    this way every time you create a new post cake will automatically create an item in the acos table.

    pay attention: you'll have to manually create the node for the previously created Posts, this way:

    // for every Post in your posts table

$this->Acl->Aco->create(array('alias' => 'Post', 'id' => 123));
$this->Acl->Aco->save();

    then you have to define a parentNode() function in your Post Model file

    // Post.php model file
public function parentNode() {
    return null;
}

    Now the ACL auth handler check form permission just at an action level. In other words it just checks that you're allowed to access the action. Then it demands other checks at a controller level by the isAuthorized() function.

    so first you have to set the permission for every node

    $this->Acl->allow($user, 'controllers/Posts/edit/123')

    then in your controller you have to do

     // PostsController.php 
 public function isAuthorized($user = null) {

    if ($this->request->action === 'edit') {
        $user = // retrieve the user array. i.e. from Session
        $post_id = $this->request->$this->request->pass[0];
        $post = array('alias' => 'Post', 'id' => $post_id );
        return this->Acl->check($user, $post);
    }
    return parent::isAuthorized($user);
}

    you can also implement parentNode() function to return the owner of the Post instead of null

    // Post.php model file

// just an hint, the actual code should be 
// a bit more complex
public function parentNode() {
    $user_id = $this->field('user_id');
    return array('User' => array('id' => $user_id));
}

    this way don't have to set the permission for every single post because cake will check if the user has access to the parent node of the Post (who is a user too). So you just have to set the permission for every user

    $this->Acl->allow($user, $user);

    If you follow this method remember to set the user as an ACO too

    // User.php Model file

$actsAs = array('Acl' => array('type' => 'both'));

    I did not test the code above so I guess there are a lot of typos and errors too. If I have time i'll do some tests and improve my answer in the next days

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 c程序不知道为什么得不到结果
  • ¥40 复杂的限制性的商函数处理
  • ¥15 程序不包含适用于入口点的静态Main方法
  • ¥15 素材场景中光线烘焙后灯光失效
  • ¥15 请教一下各位,为什么我这个没有实现模拟点击
  • ¥15 执行 virtuoso 命令后,界面没有,cadence 启动不起来
  • ¥50 comfyui下连接animatediff节点生成视频质量非常差的原因
  • ¥20 有关区间dp的问题求解
  • ¥15 多电路系统共用电源的串扰问题
  • ¥15 slam rangenet++配置