On Jan 2, 5:03 pm, "Dr. Tarique Sani" <[EMAIL PROTECTED]> wrote:
On 1/2/07, Langdon Stevenson <[EMAIL PROTECTED]> wrote: > What we seem to be talking about is creating an entirely new method of > defining and retrieving our security information hierarchy, something > different to modified preorder tree traversal.MPTT can't be and should not be abandoned - we have to find a way to apply the results in a better way Tarique -- ============================================================= PHP Applications for E-Biz:http://www.sanisoft.com Cheesecake-Photoblog:http://cheesecake-photoblog.org =============================================================
Hi All, I just finished a working version of an access control component that would allow you to define "owner delete", "owner view", "owner edit" etc. using ACL without defining a rule for each actual aco, or even creating each aco. The code for now is here http://bin.cakephp.org/view/1153809117 It's not the answer to everything but I hope it might at least be useful in sparking ideas. Here's an example in how it works: For the url /demo2/categories/edit/1 where "demo2" is a plugin and the AC component has been included. The following occurs: // Find the aro for the currently logged in user SELECT `Aro`.`id`, `Aro`.`model`, `Aro`.`foreign_key`, `Aro`.`alias`, `Aro`.`lft`, `Aro`.`rght` FROM `core_aros` AS `Aro` WHERE (`Aro`.`alias` = 'username') LIMIT 1 SELECT `Category`.`id`, `Category`.`user_id` FROM `demos_categories` AS `Category` WHERE (`Category`.`id` = 1) LIMIT 1 // Find the aco for the current section/controller/action/param combination. SELECT `Aco`.`alias` FROM `core_acos` AS `Aco` WHERE (`Aco`.`alias` IN ( 'demo2:categories:owner_edit:1', 'demo2:categories:owner_edit', 'demo2:categories:edit:1', 'demo2:categories:edit', 'demo2:categories', 'demo2', 'ROOT') ) ORDER BY `Aco`.`lft` DESC LIMIT 1 // If either query returns nothing (i.e. the basic ACL data isn't present), access is denied, otherwise the results of which are used like so: $this->checkAcl ($resultOfFirstQuery,$resultOfSecondQuery,'*'); and the result of this call is used to decide access or not. If a slug/title field is used in the url instead of the row id, this is taken into account by the component if the slug is either the first or a named parameter for the call. The list of ACOs generated for the second query prepends "owner_action:id" and "owner_action" to the potential list of ACOs if the model instance can be identified AND a user is currently logged in (identified by a session variable), otherwise these aco aliases are not added to the list. In this way it is possible to, for example define that USERS can owner_edit posts, and irrespective of how many users or posts you have, this one rule will be found and honored. Happy new year all, Comments welcome, AD7six Please note: The manual/bakery is a good place to start any quest for info. The cake search (at the time of writing) erroneously reports less/no results for the google group. The wiki may contain incorrect info - read at your own risk (it's mainly user submitted) :) You may get your answer quicker by asking on the IRC Channel (you can access it with just a browser here:http://irc.cakephp.org). --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
