Hi Langdon
Your code sent me off in the right direction, so thank you for your
help. However I had to make substantial changes, because you code did
not fit with my user-model (and not with the functions avalible in
cake 1.2). Allow me to explain (for general edification):
I have a user model where users can belong to a group. Aros for groups
are name Group::$group_id and Aros for users are named User::$user_id.
Groups and users are two seperate tables in my database. In my aros
tree, a user aro always have a group aro as parrent.
My acos are named after the model they correspond to. For example the
aco named Picture::1 represents operations on picture number 1. By
allowing or denying actions on this aco, I allow a user (or group) the
right to perform those actions.
When I check which Aros a certain user is represented by, I will
always get at least two: the user aro and the group aro (plus the
parent group aro, if there is one). When I allow and deny a certain
aco the user aro, or lowermost aro in the aro tree, is the one that
counts. Thus, if a group has read permission and the user has not, the
user should be denied access. Thus, we must check the aros-acos
permissions in a specific order. This is the function I cam up with.
It works because the node() function in acl always returns the tree in
the proper order:
function _getAllowedIds ($model, $access_type) {
//this function returns a comma delimited string of id's that the
logged in user has access to in the model given.
$aro = new Aro();
// Get the username. It may be better to pass this to the
function
$user = $this->Session->read('User');
$aroAlias = 'User::'.$user['id'];
$aroNode = $this->Acl->Aro->node($aroAlias);
$permission = new Permission();
//loop from branches of aro tree to top
for ($i = 0; $i < count($aroNode) -1; $i++) {
$temp[] = $permission->findAllByAro_id($aroNode[$i]['Aro']
['id']);
}
$Aco = new Aco();
$acos = array();
// Iterate through the links. The temp array (containing
// permission entries) is sorted by aro, and leaves come before
// their parrents
foreach ($temp as $tempAro) {
// Iterate through each Aco attached the the current Aro
foreach ($tempAro as $tempLink) {
if (preg_match ("/^".$model."::\d+$/", $tempLink['Aco']['alias']))
{
//the following construction assures that permissions are
//taken from the bottoms-most aro in the aro tree. I.e. if a
//user belongs to a group, the group has access to a file
//but the user does not, the user should not have
//access. First time we arrive here, the permission for a
//given aco is set to whatever it is for the bottom-most
//aro. Second time we arrive the permission is only changed
//if permission has not been specified in the first place.
if (array_key_exists($tempLink['Aco']['alias'], $acos)) {
switch($acos[$tempLink['Aco']['alias']]) {
case -1:
$acos[$tempLink['Aco']['alias']] = -1;
break;
case 0:
$acos[$tempLink['Aco']['alias']] = $tempLink['Permission']['_'.
$access_type];
break;
case 1:
$acos[$tempLink['Aco']['alias']] = 1;
break;
}
} else {
$acos[$tempLink['Aco']['alias']] = $tempLink['Permission']['_'.
$access_type];
}
}
}
// the acl model in this application is contructed such that
Picture::id (or Text::id etc.) acos do not have children.
// this means that there is no reason to find children on the
acos in this loop
}
//extract the id's
foreach ($acos as $key => $aco) {
if ($aco == 1) {
$acos[$key] = preg_replace("/^".$model."::(\d+)/", "$1", $aco);
} else {
unset($acos[$key]);
}
}
//create a comma delimited string of id's
$string = implode(",", $acos);
return $string;
}
}
When calling this function I get a string of id's which corrensponds
to the table entries that a user has x-access to (where x is create,
read, update or delete).
I hope someone might find this useful.
:-)
Nina
On Aug 16, 1:07 pm, Langdon Stevenson <[EMAIL PROTECTED]>
wrote:
> Hi Nina
>
> <snip>
>
> > However, what I'd like is a simple command to find all pictures that a
> > given user has access to. I realize that I can find all pictures and
> > check them one by one. However, this seems expensive to me (one query
> > to get all pictures and then N queries to check the permissions).
> > There must be a simpler way to do it, but to find it requires a deep
> > understanding of howaclwork, and I don't really have that
> > understanding (yet), so I am asking you. Has anyone here encountered a
> > similar problem, and how did you solve it? If not, do you have any
> > ideas on how I might attack this problem?
>
> If you have a look at the api forACLyou will find thatACLprovides a
> number of methods that aren't obvious from the documentation. One of
> them (I don't remember which) takes an ARO id as an argument and returns
> a tree of ACO objects that the ARO has access to. I think that this
> should suite your needs.
>
> ...
>
> I have just tried to work back through the code and extract the key
> part, but for the life of me I can't find what I am looking for in the
> api, or the CakeACLcode.
>
> I did however discover the following thread that I posted on this
> subject a while ago:
>
> http://groups.google.com/group/cake-php/browse_thread/thread/263d3ffd...
>
> It explains what I did and shows the code that I used. However I can't
> find the parts of the api that it depends upon.
>
> Let me know if you need more explanation.
>
> Regards,
> Langdon
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
