Hi Paulo:
To answer your first question: give everyone access to every post by
*not*checking to see who owns it in the Controller::index() and
Controller::view() methods. Give only the post's writer the ability to
edit/delete the post by checking first to see who owns it in the
Controller::edit() and Controller::delete() methods. With the
aforementioned WhoDidIt behavior we're talking about only one additional
line of controller code plus one additional condition:
$user = $this->Session->Read('Auth.User.id');
...so in the Controller::delete() function (for example):
function delete($id = null) {
if (!$id) {
$this->Session->setFlash(__('Invalid id for Post'));
$this->redirect(array('action'=>'index'));
}
*$*user* = $this->Session->Read('Auth.User.id'); *// Only allow deletes
from user's own records
if (*$this->Post->field('created_by', array('id' => $id)) == $user* &&
$this->Post->delete($id)) {
$this->Session->setFlash(__('Post deleted'));
}
$this->Session->setFlash(__('Post was not deleted'));
}
To answer your second question: same idea. Check that the manager logged in
has access to the controller function on that hotel *in the appropriate
controller function*.
-Rob
On Monday, December 24, 2012 6:12:02 PM UTC-5, Paulo Braga wrote:
>
> Hi Rob. Thanks for your answer, the behavior is very interesting.
>
> I think I did not express myself well, I dont want just to set that a user
> has only access to the posts he created.
>
> I want also to configure for example:
>
> We have hotels around a country from the same organization, so in each
> city there's a manager, and I want a manager to manage just the hotels in
> his city. but this hotels can be created by another user(admin), is it
> possible? I did it with isAuthorized() method, but it requires a lot of
> "code (ugly code)° :p
>
> Paulo
>
> On Monday, December 24, 2012 3:08:31 PM UTC+2, Rob M wrote:
>>
>> Hi Paulo: You are describing row-level access control, and I am doing
>> that with CakePHP 2.0 using a modified version of Daniel
>> Vecchiato's WhoDidIt Model Behavior (
>> https://github.com/danfreak/4cakephp/tree/master/models/behaviors). Then
>> I check in the controller to see if the id in the table for the person who
>> created the record matches the id of the person who is trying to modify it.
>> - Rob
>>
>> On Sunday, December 23, 2012 4:01:28 PM UTC-5, Paulo Braga wrote:
>>>
>>> Hi people.
>>>
>>> I am using cakephp 2.x, and I am trying to build a system with group
>>> permissions, ok, I used Acl and Auth component without problem.
>>>
>>> Now I want to configure access to specific data. for example:
>>>
>>> we have a blog app, and we have users, posts, etc.
>>> an admin can do anything(no problems);
>>> a post is posted by a user. (some problems here);
>>>
>>> With acl I configured that admin group can do anything. and that user
>>> group can just do anything in posts(add, list, edit, delete). everything is
>>> working.
>>>
>>> But I dont want a user to edit,delete,list posts that were not created
>>> by him.
>>>
>>> I used to do it with the method isAuthorized(), but imagining a big app,
>>> I think it will be too hard to codify it.
>>>
>>> is there a "clean" way to do it???
>>>
>>>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
Visit this group at http://groups.google.com/group/cake-php?hl=en.
