With checking ACL’s, the code I use is as follows:
$info = $this->Member->read(null, $id);
// Check for permissions to edit this account
if ( !$this->Acl->check(array('model' => 'Member', 'foreign_key' => $this->Auth->user('member_id')), $info['Member']['username'], 'update') ) {
$this->Session->setFlash(__('You are not allowed to edit this user. -- ' . $this->Auth->user('member_id'), true));
$this->redirect(array('action'=>'index'));
}
While this works and is not that bad of an idea at all, there is a way to centralize this check and put it in the main app_controller.php file.
Continue reading Central ACL Check →
After doing a few posts on Access Control Lists (ACLs), the need to look further into the implementation of ACLs in a CakePHP project could be helpful. If there are questions on setting up the ACL tri-table in the database, you can review the previous postings, or check out the CakePHP documentation. But now that you have the ACL tables set up, how does it actually work?
First, the ACL happens after authentication. So whether or not you are using the Auth component, you will still need to authenticate the user some how, some way. Then once the user is authenticated and logged in, that user will have permissions to do different thing. Let’s say one of those things is to edit accounts. If it is a regular user, he should be able to edit his own and no one else. If the user was a “site admin” he should be able to edit his own and any account that is not a “super-admin”. If he is a super admin then he should edit everyone’s account. However, the first part of this is setting up the initial ACL permissions.
Continue reading ACL Implementation →
Another Blog clogging up the already crowded internet