Hi everybody, I made another test: I set permission 'allow' for all CRUD (that means _create, _read, _update and _delete are all set to -1 in the dataset) my user has access to the controller and action. As soon as "delete" is -1 (denied) my user isn't allowed to use an action which needs only read access adn doesn't delete anything like e.g. an index or search.
I have set my permissions on controller level and mapped the actions to the CRUD permissions. Do I have to give permissions to each single action? I hope not or my aros_acos table would be very big. Has anyone an idea? Anja -----Ursprüngliche Nachricht----- Von: cake-php@googlegroups.com [mailto:cake-...@googlegroups.com] Im Auftrag von Liebermann, Anja Carolin Gesendet: Montag, 15. Dezember 2008 16:44 An: cake-php@googlegroups.com Betreff: Auth: Why has my user no access to this action? Hi everybody, After 2 weeks thinking about it and sleeping over it and setting up aros_acos 4 times: Please maybe somebody has a good hint what I did wrong. Situation: CakePHP 1.2 application with Auth and ACL Some permissions work fine e.g. I allow certain groups full access to a certain controller. That works. In my controller "Hotelmasters" I have the action index: function index() { $bearbeiter = $this->Hotelmaster->User->find('list',array('order' => 'name ASC')); $bearbeiter[0] = ''; $param['Hotelmaster.deleted'] = '0'; $hotelmasters = $this->paginate('Hotelmaster',$param); $this->set('bearbeiter',$bearbeiter); $this->set('hotelmasters', $hotelmasters); } The aro group 10 has the aro_id 26. That is the group with which I am testing. A lot of rights, but not everything. The Hotelmasters has the aco_id 90. Parent is "controllers". The aros_acos dataset is: id aro_id aco_id _create _read _update _delete 45 26 90 1 1 1 -1 So my user is allowed to read Hotelmasters. In my app_controller.php I have: $this->Auth->mapActions(array( 'read'=> array('arraysMitMaster', 'getBilder', 'getHotelbilder', 'getHotelmasterbilder', 'getHotelmastertexte', 'getHotelsByAuspraegungOrt', 'getHotelslisteByOrtmaster', 'getHoteltexte', 'getKatalogplanung', 'getOrtbilder', 'getOrtByZielgebietAjax', 'getOrtmasterbilder', 'getOrtmasterByZielgebietmasterAjax', 'getOrtmastertexte', 'getOrtplanung', 'getOrtsByAuspraegungZielgebiet', 'getOrtslisteByZielgebietmaster', 'getOrttexte', 'getSonderkonditionmaster', 'getVerhotelbildmaster', 'getVerhoteltextmaster', 'getVerpflegungmaster', 'getVerzielgebietbildmaster', 'getZielgebiet', 'getZielgebietbilder', 'getZielgebietmasterbilder', 'getZielgebietmastertexte', 'getZielgebietplanung', 'getZielgebietsByAuspraegung', 'getZielgebiettexte','hotel_komplett', 'hotelinfoskomplettieren', 'hotelskomplettieren','index', 'index2','ortskomplettieren','sonderkonditionskomplettieren', 'suche', 'urlaubsartskomplettieren', 'verpflegungskomplettieren','view','viewPdf'), 'create'=> array('add', 'addHotelauspraegung','verknuepfungwaehlen'), 'update'=> array('edit', 'editKatalogplanung', 'editOrtplanung', 'editverknuepfung', 'editZielgebietplanung','order','saveKatalogplanung', 'saveOrtplanung', 'saveZielgebietplanung', 'sortverknuepfung'), 'delete'=> array('delete'))); Note the 'index' in the 'read' array in the line before the last line. I get the same problem , when I have only 'index' in my read array. So 'index' is an equivalent of 'read' which should be allowed. And my index function doesn't trigger other functions which might have different rights. Any idea where else I can look for an error or if this contains an error? Thank you in advance for your efforts! Anja --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---