If I understand your needs as written, it would seem simpler to stay with CakePHP Auth/ACL and create a second tier of permissions for a subset of Users who are also in the Users table. That would handle authentication for you (the way you're already doing) and you would grant those Users access to the create/update/delete views on your models as needed.
You'd want a field in each record that identifies the User (or Group of users) that created it, so that in your controller you can verify that the Auth User matches prior to updating the record. On May 21, 3:15 am, emmexx <[email protected]> wrote: > In one cake app I use Auth and Acl to authenticate users, as per > manual. > Now I need to let some users, not listed in users table but in another > database, edit the records of a table. Let's say for clarification > that they should manage their own profile. > > What I want to do is: > > 1. let those users "authenticate" outside of my app Auth system. > I created a form where those users enter their username and password. > The form is public ($this->Auth->allowedActions = array('mylogin'); > > 2. If their credentials are valid I redirect to a form (a view of the > model they have to edit). > > Obviously I want to be sure that when the second form is submitted, > what the server receives is not faked. I mean, I need some kind of > persistence in order to verify that the submitted data comes from an > authenticated user and the data is consistent with the user (a user > can modify only his own profile). > To accomplish that is it enough to create a session key and check it > before saving data? > And what kind of complexity should I implement from a security point > of view? I mean, is it enough to set a simple session key ( e.g. > $this->Session->write('authenticated', true) ) ? Or should I write something > > more complex (e.g.hashing of some user data?) > I'm not sure that php/cakephp Session component are enough to > guarantee that the submitted data is coming from the same user > previously authenticated. > Are there better cake methods to accomplish the same goal? > > thank you > maxx -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php
