HirdWeb

With checking ACL’s, the code I use is as follows:

$info = $this->Member->read(null, $id);

// Check for permissions to edit this account
if ( !$this->Acl->check(array('model' => 'Member', 'foreign_key' => $this->Auth->user('member_id')), $info['Member']['username'], 'update') ) {
	$this->Session->setFlash(__('You are not allowed to edit this user. -- ' . $this->Auth->user('member_id'), true));
	$this->redirect(array('action'=>'index'));
}

While this works and is not that bad of an idea at all, there is a way to centralize this check and put it in the main app_controller.php file.
(more…)

After doing a few posts on Access Control Lists (ACLs), the need to look further into the implementation of ACLs in a CakePHP project could be helpful. If there are questions on setting up the ACL tri-table in the database, you can review the previous postings, or check out the CakePHP documentation. But now that you have the ACL tables set up, how does it actually work?

First, the ACL happens after authentication. So whether or not you are using the Auth component, you will still need to authenticate the user some how, some way. Then once the user is authenticated and logged in, that user will have permissions to do different thing. Let’s say one of those things is to edit accounts. If it is a regular user, he should be able to edit his own and no one else. If the user was a “site admin” he should be able to edit his own and any account that is not a “super-admin”. If he is a super admin then he should edit everyone’s account. However, the first part of this is setting up the initial ACL permissions.

(more…)

In some applications on the web, you are required to log in to view content, post content, or any other sort of thing. With this, there will be times when a member of the site/application/whatever will forget the password they used, and it will have to be reset for them. So there are different methods of doing this, and different ideas behind what should make this work. I am going to give you one that I use, which will use a close to random method for resetting the passwords.

(more…)

Another quick post. This has some info on the “intrawebs” but there is also bad data out there. Say you have a form, that has some info on it that requires a good amount of data to be input by the end user. If the user leaves the form to go to another page, or closes the window, all of that will be lost. So there is a couple ways you can combat that.

1. You could make everyone create an account to save any data on a smaller scale and come back later and submit the form
or
2. You can create an alert message when the user no longer wants your page to show.

There are different reasons to do one or the other. If you had a long form for something like a scholarship or a detailed personal profile, that would be the case for the account to save the data in smaller chunks. However, lets say you have a form with many fields that requires some data input and alot of options to parse through. That would be a case for an alert message. But since HTTP is stateless, how would one accomplish this?

(more…)

It is finally October and I have not posted one thing yet. I was in California last week though. However that should not be an excuse for the lack of posting I have made. I really wanted to be able to post at least once a week, trying for twice a week. However, that has not happened.

So a quick post about security in a site. I will not claim that I know everything about security, but I have always been about the common sense stuff of a site. Some of the things to keep in mind:

(more…)

In preparation for the Zend Certification Exam (ZCE), Zend provides a great (sarcasm) online practice test that consists of 8 questions. That is right, 8 questions. A certification exam that consists of 70 questions and Zend offers 8 questions. And the other thing with the practice test, is that if you get 5 out of 8 correct, then you are “ready” to take the exam. Which I would not suggest, unless of course you have at least 1 year of real PHP experience coding, testing, even hacking. Plus, there is a good amount of DB stuff on the test, as well as security, streams, XML/Web Services and other stuff. I also suggest you pay (that is right, pay) for a set of practice exams. But I digress. Back to the Zend practice test. They give you 8 questions, then just tell you how many you got right/wrong. There is no feedback (like a real exam) on the practice test, which I think there ought to be. So I decided I would not only give you the answer, but why it is the answer. Following is the exam questions and the answers and why they are the answers.
(more…)

I did not post on Monday, which I really wanted to do. I am studying for the Zend Certification, but may have to put it off based on work load, and family obligations. Do I think I can just take the exam and pass it? Well, I am not that conceited, but I am sure I may be able to pass it on a good day. However, test taking is not one of my strengths, so even if I knew everything on the test, I may still fail the test. So studying really helps me go through the exam work, and then helps me to get through the anxiety of tests.

And there is also new work things I am doing on the side. Most involve CakePHP, some involve just doing some very basic PHP work. So I am doing those and having less time to actually blog. And let’s not forget football season is now in full swing, so I spend a good portion of my Saturday afternoons watching college football and doing some studying.

Hopefully next week I can make a couple of posts, and hopefully I will make a couple of posts per week.

The next post will probably deal with more of the CakePHP work I am doing. (Working on a “social” calendar, like there isn’t already 2000 of them already).

Another quick post this week, as I am bogged down in work and preparing for a Zend Certification Exam. I am going to be taking the exam for Zend Certified Engineer (ZCE). While I do not expect it to be much problem, these types of exams are usually worded in a way that may not give you all the basics.

I do highly recommend to visit the Zend site, download the exam prep book, and then also get a 5 pack of the test exams. The Zend store has the book and you can add on the practice exams for $17 (for 5 exams). The book explains the basics on the exam, things like network programming, XML and web services, and other items that will appear on the exam. Then if you get the 5 pack for the exam, you can take a practice test 5 times, and be able to get an idea of what the exam will be like.

Some of the questions seem like no brainers, but then there are times when the question has a key word, that makes the question mean something completely different than first appearances. One of the things I learned a long time ago, is that with these types of exams, the multiple choice has four to five questions that can be peared down quickly. Usually one is not going to be correct because of absurdity, one is going to sound like it is right, but for obvious reasons it is incorrect. Then there are the final 2 questions that can both be correct, but there is one answer they are looking for.

Sounds easy right? Would be if it was just like college, where you get to take a test, if you do not get a “pass” grade, then there are other things you can do to make up the score. With these exams, and this one in particular, it is $125 for one certification exam. You do not pass, not only are you out $125, you do not get anything, no certification of any kind. You need to pay again for another shot at the exam. So no matter how much you know a language, no matter how much you think you may know, always study and prepare. It never hurts and in the process, you may get to know more about the language than you did before.

Today is just going to be a quick post. It is Labor Day here in the States and that means a whole heap of people are not going to be working, including me. So I am just messing around with some stuff in CakePHP as I am doing a side project for a local church to put up a calendar. Most of it is complete, but there was one thing that I wanted to change.

I am using the Auth component in my User model. I have allowed register, resetpass, and index. So when I go to view a user’s detailed profile, there is that message: “You are not authorized to access that location.” Which is a fine message and all, but I want it to be site specific, and also controller specific. So the Users controller will have a separate Auth error message than the Calendars controller. So here is what I did.

In the Users controller, I built a beforeFilter function. I set my authorized actions, set redirect to false. I also set a session level variable with the Auth, then I set the error message. There are a couple of messages you can set for the Users controller. You can set the loginError and the authError. The loginError will be the error when the user logs in and is unable to for whatever reason. The authError is what the user will see when they try to perform an action that is not allowed by them, whether it is because they are not logged in (as in my case) or you are using Auth to “authorize” an action.

So here is what it would look like:

function beforeFilter() {
	parent::beforeFilter();

	$this->Auth->allow('register', 'index', 'resetpass');
	$this->Auth->autoRedirect = false;
	$this->Auth->authorize = 'controller';
	$this->set('my_id', $this->Auth->user('user_id'));
	$this->Auth->authError = "Please log in first in order to preform that action.";
}

So when you want to change the standard Auth error message, just remember to set the “authError” to whatever message you would like. Happy Labor Day!

In the first part, the idea and theory behind an ACL was discussed. In part 2, the set up of AROs, ACOs, and ACLs via the command line was shown. Now in part three, we look at why this is so important. Because an interactive site with memberships should never be static, what happens when a new member signs up? What happens when a member is promoted to an “admin” level? And what happens when users change? This can all be happened via ACLs.

In part 2, existing member were set up as AROs. And with user accounts, we also have to set those up as ACOs. Then those AROs (people) need to have permissions set for the CRUD actions. (Create, Read, Update, Delete). These actions are specific to the ACO, or object they are trying to manipulate. So if a user wants to edit their own account, do they have permission? If a user wants to delete another person’s account, do they have permissions to? With setting up ACLs, this can be checked. But what do we do when a new person signs up for an account? We need to create the code to do this.

In the Users Controller, we need to make sure we use the ACL component is included. So include this in the controller:

class UsersController extends AppController {
	var $name = 'Users';
	var $components = array('Acl');

Also remember that the Auth and Security components are also very powerful components and should be included as well, but the above only shows where to include the components. Now with this in place, we can no address the add (or register) function of the controller.

(more…)