On Sep 28, 8:20 pm, jmcneese <[email protected]> wrote: > hi there. it looks to me that you are not using the groups correctly, > which is how you restrict non-owner users from undesired actions. the > bits are just like unix permission bits, in that there is there is a > user and group id associated with the record, then bits assigned to > the owner, group and "others" (anyone who is not the owner or in the > group specified). > > a practical example would be something like this: > > you create a new record. that permission record gets automatically > created with an owner id matching the creating user's id, and a group > id matching the creating users *primary* group id. the permission > bits for this new record will either be the default bits defined in > the behavior configuration, or else whatever you specify in the data > to be saved. > > let's say you have two groups, Editors and Authors. you would want > editors to have full read write access, as well as the creating > author, but everyone else can only view. that would mean you want to > have a permission bit of 500 (owner: read/write/delete, group: read/ > write, others: read). the owner id is the author user's id who > created the record, and the group id is the editor group's id. > > this would allow the original author to have full control, editors can > modify the record but not delete, and all other users can read the > record but not modify/delete. > > does that make more sense?
Hi, First of all my thanks to the wonderful behavior and reply. I understood the bit masking part. If you see my previous posts i have mentioned how the 9 bits works. I am clear about that. But where i need help is when a record owner wants to assign permission to another set of groups or users or a single group or user for CRUD on all his inserted record (data) how can he do that? I am planning for an interface where the record owner allows permission for his inserted record to a selected group or users. More than that, you have mentioned in your TODO list as "I intend on updating the plugin to have more options for configuration, to whit: implementing some level of inheritable permissions, introducing the concept of roles, supporting “trickle- down” permission changes to models that actAs Tree, common UNIX-y commands like chmod/chown/chgrp." Please explain more on this points. Though I am a beginner in cakephp (just 2 months) I could try those TODO for my knowledge gain. > > On Sep 28, 5:41 am, sathyashrayan <[email protected]> wrote: > > > > > > > > > On Sep 28, 12:25 pm, sathyashrayan <[email protected]> wrote: > > > > On Sep 28, 11:39 am, sathyashrayan <[email protected]> wrote: > > > > > Ok I have made the RMAC work (http://jmcneese.wordpress.com/2010/01/28/ > > > > rmac-is-dead-long-live-rmac/) I will tell what i have done. > > > > > 1)Downloaded a fresh cakephp > > > > 2)created the users,groups tables > > > > 3)acos,aros,acos_aros ("cake schema create DbAcl" in command line) > > > > 4)Baked users and used Auth component to set up a login page > > > > 5)Placed the plugin in [path]/app/plugin/permissionable > > > > 6)Created the permission_bits table > > > > 7)Created a "contacts" table for a sample module > > > > 8)In the file [path]\app\plugins\permissionable\controllers\components > > > > \permissionable.php I added > > > > var $components = array('Session', 'Auth'); > > > > for calling > > > > $users = $this->Auth->user(); > > > > Then assigned userid and groupid in > > > > > $users = $this->Auth->user(); > > > > $userId = $users['User']['id']; > > > > $groupId = $users['User']['id']; > > > > Permissionable::setUserId($userId); > > > > Permissionable::setGroupId($groupId); > > > > Permissionable::setGroupIds(array($groupId)); > > > > > 9)Created some groups in tree (tree component) with hierarchy > > > > > 10)Now each user logged in and creates a contact the > > > > "permission_bits" table gets filled with model,and model Id and 416 > > > > (default bits) in perms.. > > > > > 11)If each user logs in and he can see only his records. He can edit > > > > and view but he can not delete his own record. If an Admin logs in he > > > > can do all the action(delete also) on all the record including his > > > > record.. > > > > > Now what i need is.. > > > > > 1)Record created user (owner) can also delete his record > > > > Ok i have found out doing this point. Which is 480 in the prems coloum > > > of permission_bits table. > > > 840 == (111) - (100) - (000). Add the line before calling save ($this- > > > > >Contact->save($this->data)) in the contact_controller.. > > > > $this->data['Permissionable'] = array('perms'=>480); > > > > > 2)Record created user (owner) can allow other group's user below his > > > > level to do all the action (create/update/delete/view) > > > > > I can guess that this could be done in the Behavior (\app\plugins > > > > \permissionable\models\behaviors\permissionable.php) with correct bit > > > > set in the callback functions. But i dont know what is the bit mask > > > > for that. If i am wrong then please correct me and guide me how to do > > > > that. > > > ok I got a bit more closer in this. I have changed the > > > Permissionable::setUserId(array($userId,6,7)); in the file > > > [path]\app\plugins\permissionable\controllers\components > > \permissionable.php > > > where 6,7 are other user IDs I get the following query generated with > > beforeFind() callback function from the file [path]\app\plugins > > \permissionable\models\behaviors\permissionable.php > > > SELECT `Contact`.*, `ContactPermissionBit`.* FROM `contacts` AS > > `Contact` INNER JOIN `permission_bits` AS `ContactPermissionBit` ON > > (`ContactPermissionBit`.`foreign_id` = `Contact`.`id` AND > > `ContactPermissionBit`.`model` = 'Contact' AND > > `ContactPermissionBit`.`foreign_id` = `Contact`.`id` AND > > ((`ContactPermissionBit`.`perms`&4 <> 0) OR > > (((`ContactPermissionBit`.`perms`&32 <> 0) AND > > (`ContactPermissionBit`.`gid` = 2))) OR > > (((`ContactPermissionBit`.`perms`&256 <> 0) AND > > (`ContactPermissionBit`.`uid` IN (2,6,7)))))) WHERE 1 = 1 LIMIT 20 > > > Look at the last part of the query IN (2,6,7) that happens with the > > array of user ids. But this will affect the afterSave() callback in > > [path]\app\plugins\permissionable\models\behaviors\permissionable.php > > since it expects a variable but not an array. So I have changed the > > code to check if its a array or variable. Just added these lines on > > the top. > > > //$user_id = Permissionable::getUserId(); > > //$group_id = Permissionable::getGroupId(); > > > if(is_array(Permissionable::getUserId())) > > { > > $ids_user = Permissionable::getUserId(); > > $user_id = $ids_user[0]; > > } > > else > > { > > $user_id = Permissionable::getUserId(); > > } > > > if(is_array(Permissionable::getGroupId())) > > { > > $ids_group = Permissionable::getGroupId(); > > $group_id = $ids_group[0]; > > } > > else > > { > > $group_id = Permissionable::getGroupId(); > > } > > > So now this works on both afterSave() and beforeFind() callback > > function, never minding if it is a array or variable. > > Now if user id 2 is the leader and user id 6 and 7 are under the > > privilege of user 2. How can i restrict some resource for the other > > users such as no deleting possible for 6,7 but only view. But user id > > 2 could do all the CRUD since he is the master for this record? I > > think I need to make a bitmask for this in perms but where in > > afterSave() and what is that bit? > > > I wounder why I am not getting any help for this issue.. May be people > > here did not able to open the link which is > > >http://jmcneese.wordpress.com/2010/01/28/rmac-is-dead-long-live-rmac/... > > > Please help..:o > > > > > One more this is when a admin delets all the record the > > > > "permission_bits" table not getting deleted.. > > > > > Thanks for any help.. > > > > > On Sep 26, 5:04 pm, sathyashrayan <[email protected]> wrote: > > > > > > Dear group, > > > > > After i used ACL plugin by Alaxos (http://www.alaxos.ch/blaxos/pages/ > > > > > view/plugin_acl) i wanted to have a ACL at each record level. That is, > > > > > a user's record need not be shown to the non-Creator. I started to > > > > > understand the concept of record level ACL from this thread. > > > > > > http://groups.google.com/group/cake-php/browse_frm/thread/886fe37ecbc... > > > > > > After downloading those code from those given links about RMAC i > > > > > tried to implement it. But I am stuck. So i started to read that code > > > > > (behaviour, [path]/app/plugin/permissionable/models/behaviors) i > > > > > understood that its the callback function that does all. Especially > > > > > the bit checking in _getPermissionQuery function. But I am still not > > > > > clear in implementation(user end). So i studied the Auth and ACL > > > > > component in core cake (libs) and i saw the _create,_delete (CRUD) > > > > > permission is set in Auth. Then I understood that RMAC implementation > > > > > is different from Core ACL which uses aros_acos table. My doubt with > > > > > the RMAC plugin is this.. Does every record will have an extra entry > > > > > in the permission table? Can anyone give an example of this full > > > > > working of the RMAC code, with more than two or three model (tables) > > > > > with tree level access (roles) including every entry in the permission > > > > > table. Can I able to use both the ACL plugin and RMAC plugin together? > > > > > > I am also planing to have own interface for the ACL, both action > > > > > level and record level. I am not sure if this will be continued since > > > > > i work for a company and they asked so. It could be dropped any time. > > > > > A basic layout as follows in a word docs. > > > > > >https://docs.google.com/document/d/1VGkvtvZk3fuST_pgn1q0sfhtvgka1NCTY... > > > > > > This is very basic and it could be non feasible (funny :D). -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php
