php - CakePHP 2.x ACL - Control at owner level -

-

i able control application using acl, done , application working smooth acl , auth.

now problem is:

i have 2 tables, users , posts. there no rbac (role based access control). setting deny , allow each user follow.

//allow user1 $user->id=1; $this->acl->allow($user,'controllers');  //allow user2 add, edit , view posts  $user->id=2; $this->acl->deny($user, 'controllers'); $this->acl->allow($user, 'controllers/posts');

but here getting 1 problem:

user2 getting access edit posts of user1.

example:

user1 created post1.

now user2 logged in can edit user1's post (i.e. post1- /localhost/myapp/posts/edit/1)

question: how can set acl permission problem, owner of post can edit post , others can not.

i can achieve in controller level checking 

if($_session['auth']['user']['id'] == $post['post']['user_id']){     // you're owner, u can edit }else{     //u cant edit, not ur post }

but need acl work here, possible?, please help

thanks

here's how do

first of tell cake post model aco 

 // post.php model file  $actsas = array('acl' => array('type' => 'controlled'));

this way every time create new post cake automatically create item in acos table.

pay attention: you'll have manually create node created posts, way:

// every post in posts table  $this->acl->aco->create(array('alias' => 'post', 'id' => 123)); $this->acl->aco->save();

then have define parentnode() function in post model file

// post.php model file public function parentnode() {     return null; }

now acl auth handler check form permission @ action level. in other words checks you're allowed access action. demands other checks @ controller level isauthorized() function.

so first have set permission every node

$this->acl->allow($user, 'controllers/posts/edit/123')

then in controller have do

 // postscontroller.php   public function isauthorized($user = null) {      if ($this->request->action === 'edit') {         $user = // retrieve user array. i.e. session         $post_id = $this->request->$this->request->pass[0];         $post = array('alias' => 'post', 'id' => $post_id );         return this->acl->check($user, $post);     }     return parent::isauthorized($user); }

you can implement parentnode() function return owner of post instead of null

// post.php model file  // hint, actual code should  // bit more complex public function parentnode() {     $user_id = $this->field('user_id');     return array('user' => array('id' => $user_id)); }

this way don't have set permission every single post because cake check if user has access parent node of post (who user too). have set permission every user

$this->acl->allow($user, $user);

if follow method remember set user aco too

// user.php model file  $actsas = array('acl' => array('type' => 'both'));

i did not test code above guess there lot of typos , errors too. if have time i'll tests , improve answer in next days


Comments

Post a Comment

Popular posts from this blog

javascript - Chart.js (Radar Chart) different scaleLineColor for each scaleLine -

-
Image
i try , create radar chart using chart.js has various colours each scaleline, or coloured between scalelines. wondering if possible? from: to: i have working graph, though there doesn't seem method change individual scale lines. kind regards leigh you can extend radar chart type this, so chart.types.radar.extend({ name: "radaralt", initialize: function (data) { chart.types.radar.prototype.initialize.apply(this, arguments); var originalscaledraw = this.scale.draw; var ctx = this.chart.ctx; this.scale.draw = function () { var linewidth = this.linewidth; // bypasses line drawing in originalscaledraw this.linewidth = linewidth; originalscaledraw.apply(this, arguments); ctx.linewidth = this.linewidth; var scale = this; // draw chart.helpers.each(scale.ylabels, function (label, index) { // color of ...
Read more

apache - Error with PHP mail(): Multiple or malformed newlines found in additional_header -

-
suddenly have started receiving above error without changes having been made script. host 1and1 (i know...) the script still works fine on different server, , suspicion there must have been server config change has lead this, although hosts plead ignorance. there's no information on above error @ in google can find - have ideas? server running apache if helps. had similar problem. came out of blue. no php code changed. what changed: php upgraded 5.5.25-1 5.5.26. a security risk in php mail() function has been fixed , newlines in additional_headers allowed no more. because newlines mean: starts email message (and surely don't want inject newlines through headers followed evil message). what have worked fine, e.g. having newlines after headers or passing whole message additional_headers , function no more. solution : sanitize headers. no multiple newlines in additional_headers argument. these count "multiple or malformed newlines":...
Read more

java - Android – MapFragment overlay button shadow, just like MyLocation button -

-
Image
i'm struggling add shadow custom overlay button on google map. goal make custom button google's mylocation button. here's how app looks now: layout.xml <relativelayout xmlns:android="http://schemas.android.com/apk/res/android" xmlns:tools="http://schemas.android.com/tools" xmlns:map="http://schemas.android.com/apk/res-auto" android:layout_height="match_parent" android:layout_width="match_parent" style="@style/apptheme"> <fragment android:layout_width="match_parent" android:layout_height="match_parent" android:id="@+id/map" tools:context=".mapsactivity" android:name="com.google.android.gms.maps.supportmapfragment" android:layout_alignparentend="true" android:layout_alignparentstart="true" android:layout_alignparentbottom="true" ...
Read more