» Yet another blog post about CakePHP ACL

Yet another blog post about CakePHP ACL

This post isn’t a standalone tutorial about ACL in CakePHP, and it’s not meant to be so. Ā There are already many posts in the cloud about such topic. Ā The purpose of this post is to emphasis some nontrivial hints or small tricks at least for me

Please, make sure to read one of those tutorials before getting through this post, I do recommend that one comes in the documentation of CakePHP.

So, let’s go and see how things should go. Ā I am going to implement this simple typical application with Groups and Users. Ā A User belongs to a Group. Ā The ‘admin’ Group can do anything with Users. Ā A User can only list the available users (index action)

Please, make sure to read one of those tutorials before getting through this post, I do recommend the one comes in the documentation of CakePHP.

1- Let’s make our application support ACL and Authentication. Ā In the app_controller.php

[php]
//in app_controller.php
//Make sure to include ‘Acl’ before ‘Auth’
var $components = array(‘Acl’, ‘Auth’);

function beforeFilter() {
//Configure AuthComponent
$this->Auth->authorize = ‘actions’;
$this->Auth->actionPath = ‘controllers/’;
$this->Auth->allowedActions = array(‘display’); //IMPORTANT not to get into redirect loop
$this->Auth->loginAction = array(‘controller’ => ‘users’, ‘action’ => ‘login’);
$this->Auth->logoutRedirect = array(‘controller’ => ‘users’, ‘action’ => ‘login’);
}
[/php]

2- In the models, pick whether this model is an ACO or ARO or both.

[php]
var $actsAs = array(‘Acl’ => ‘requester’);
var $actsAs = array(‘Acl’ => ‘controlled’);
var $actsAs = array(‘Acl’ => array(‘Aro’,'Aco’));
[/php]

3- To support the hierachy-based ACL in CakePHP, each model that acts as an ARO should provide an overload for the method parentNode. Ā Here is how it goes in our case. Ā We have 2 AROs, a User and a Group.

[php]
//in User.php
function parentNode() {
if (!$this->id && empty($this->data)) {
return null;
}
$data = $this->data;
if (empty($this->data)) {
$data = $this->read();
}
if (!$data['User']['group_id']) {
return null;
} else {
return array(‘Group’ => array(‘id’ => $data['User']['group_id']));
}
}
[/php]

[php]
//in Group.php
function parentNode() {
return null;
}
[/php]

4- It’s time to add the login and logout functionality as usual with Auth component. Ā One special thing I noticed is that while with only Auth you needn’t add the ‘login’ and ‘logout’ action to allowed actions list because they are added by default, when it comes to ACL, you need to explicitly add them. Ā Don’t forget to add the views of login and logout as usual.

[php]
//in users_controller.php
function beforeFilter() {
parent::beforeFilter(); //IMPORTANT to call the functionality of acl
$this->Auth->allow(‘login’, ‘logout’);//You can login
}

function login() {
if ($this->Session->read(‘Auth.User’)) {
$this->Session->setFlash(‘You are logged in!’);
$this->redirect(‘/’, null, false);
}
}

function logout() {
$this->Session->setFlash(‘Good-Bye’);
$this->redirect($this->Auth->logout());
}
[/php]

5- Let’s create the AROs. Ā They are added automatically, once a Group of User is added through CakePHP generated forms, a corresponding entry will be added to the aros table. Ā This is done through the ACL behavior.

6- To add ACOs, there are couple of solutions I could find, but the one I recommend this

http://mark-story.com/posts/view/generate-aco-records-for-your-controllers-and-actions-with-acosyncshell

It adds another shell and hence you can do the whole thing from console. Ā I find it nice and convenient. Ā Here is how you can use it

Put the file aco_sync.php in this path cake_1.2.x\vendors\shells

Call it like that

cake aco_sync update

It will do the magic and add ACOs for all controllers and actions to your acos tables.

7- It’s time to create ACLs, I also prefer using console to accomplish this task.

Give Admin group all permissions on all actions of Users

cake acl grant Group.1 Users all

Note that they are Group and Users. Ā The first is singular; the model, and the second is plural; the controller.

Group.1 ==> 1 is the id of the Admin group in Groups table

Let’s see another example

Give User group all permissions on index action of Users

cake acl grant Group.2 Users/index all

This is how to set permissions to a specific action using the slash ‘/’. Ā Not backslash or a dot or anything else, it’s written like that Users/index.

So, now, you are all set

Since console is widely used in this post, I think adding some hints about using console will be of no harm, I am using cake_1.2.5, and I am using wamp, under Windows of course, installed with the default settings in c:\wamp

Here is how you may get the console commands to work smoothly

Put the cakePHP frame in some location in your file system away from the www folder. Ā If you are using wamp, it can be

 C:\wamp\frameworks\cake_1.2.5\

Add the location of the cake to your PATH, or use the full location each time.

In this case it will be

C:\wamp\frameworks\cake_1.2.5\cake\console

While being in the www folder create your project using the console

cd C:\wamp\www\

C:\wamp\www>c:\wamp\frameworks\cake_1.2.5\cake\console\cake bake TestingACLProject

or if you added it to the path, simply use

C:\wamp\www>cake bake TestingACLProject

This will create the folder TestingACLProject and build the typical skeleton of a Cake project.

Later on, execute all console commands from inside the TestingACLProject folder

e.g.

cd C:\wamp\www\TestingACLProject

C:\wamp\www\TestingACLProject>cake acl grant Group.1 Users all

I hope this post could help to remove some of the mystery of CakePHP due to its lack of good documentation.

December 30th, 2009 | 04:41 pm | CakePHP, Technical | 1 Comment |

Rennifer

I didn’t know where to find this info then kbaoom it was here.

Trackback this post
Subscribe to the comments via RSS Feed

QuinDev

Archives and Categories

Archives

Categories