Ok, have a look at this :-)
Warning:
1. You need a solid understanding of ACL for this to make sense.
2. I am sure that this code could be improved substantially by
better programmers than me. The aim was just to make something
that worked to see if it could be done. I guess that it should be
made into a component.
Pre-requisites:
1. User authentication (I am using dAuth for this)
2. An Aro structure of usernames and groups that match the
authentication system
3. An Aco structure of groups that data can belong to
Once you have that then you are ready to protect your data.
// First, get a list of Acos that the user has access to and
// return it as a comma delimited string with '' mark around each
// Aco alias. The functions used are listed below.
$ownerString = $this->_arrayToList($this->_getDataAcos());
// Query the database for records that we are allowed to access
// using the list generated above as a filter. This requires the
// table have a column that holds an Aco name for each record to define
// who can access it. In this case the column name is 'owner'.
$this->set(
'data',
$this->Master->findAll(
'WHERE `Master`.`owner` IN ('.$ownerString.')'
)
);
This will return a data set of only the records that the ACL system says
the user should have access to.
/*
* The function _getDataAcos() does the following:
*
* - Gets the username of the current user from the session
* - Retrieves the ARO path for the username
* - Gets all AroAco links for the Aro path
* - Gets the Alias for each Aco from each link
* - Finds Acos that have the extension ":data" (meaning that they
* are used for controlling data rather than controller actions
* - Gets all children data Acos and puts them in an array
* - Returns the array of data Acos
*
* I put it in appController.php so that it is available everywhere
*/
function _getDataAcos () {
$aro = new Aro();
// Get the username. It may be better to pass this to the function
$user = $this->Session->read('User');
$username = $user['username'];
// Get the Aro path for this user
$aroPath = $aro->getPath($username);
// Retrieve all links for the list of Aros
$Link = new ArosAco();
foreach ($aroPath as $path) {
$temp[] = $Link->findAllByAro_id($path['Aro']['id']);
}
$Aco = new Aco();
// Iterate through the links
foreach ($temp as $tempAro) {
// Iterate through each Aco attached the the current Aro
foreach ($tempAro as $tempLink) {
// If the Aco's alias has the extension ":data" we want it
if (count(explode(':', $tempLink['Aco']['alias'])) > 1) {
$acos[] = $tempLink['Aco']['alias'];
// Get the children of the Aco so that we inherit their access
$tempAcos[] = $Aco->getChildren($tempLink['Aco']['object_id']);
// Iterate through all child Acos
foreach($tempAcos as $potentials) {
// There are two levels of nesting, so iterate the second
foreach ($potentials as $potential) {
// Check that the Acos are data Acos
// This is not really required
if (count(explode(':', $potential['Aco']['alias'])) > 1) {
// Put the Acos we have selected in an array
$acos[] = $potential['Aco']['alias'];
}
}
}
}
}
}
// send back the Aco array
return $acos;
}
/*
* This function just turns the array of names into a comma delimited
* string with each item in ''.
*/
function _arrayToList($sourceArray = null) {
$ownerString = '';
$ownerArray = $this->_getDataAcos();
foreach ($ownerArray as $owner) {
$ownerString .= '\''.$owner.'\',';
}
return trim($ownerString, ',');
}
So that's it. Hope that it made some sense.
I have done basic testing on it, and it appears that the data is
protected according to the rules of the ACL. However, if you want to
use this code I would strongly suggest that you conduct your own testing
to be sure I haven't made some glaring error in the security.
If anyone can suggest improvements, or a better way to achieve the same
result, I would like to hear it :-)
Regards,
Langdon
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
