OK, so it doesn't seem to work. I added several AROs with the same
alias ('User:1' for example) but with different parents, then I set
the rights on these parent (user groups) to contradictory rights over
an ACO. I then checked for the user's rights on the aco. I noticed
that there are queries performed for each parent so it is getting all
the rights, then it solves conflicts by picking the allow rule (which
is kind of weird but anyway). The problem comes when i add a deny rule
directly on the user. It sets the rule on the last created aro with
alias User:1 but check seems to ignore it's deny and still says I'm
allowed.
However i think it's a start. With a custom DB_ACL class i think i can
make this work. I'm just wondering if I should do this or write my own
acl that fits my needs better.On Feb 12, 6:17 am, aranworld <[EMAIL PROTECTED]> wrote: > Have you tried to just add one user to two groups in the console app > and see what happens? > > I have just been reading through the check() function in cake\libs > \controller\components\acl.php [DB_ACL]. I'm not 100% sure, but based > on Nate's response above, I have a feeling that this is setup to > actually work already. Just give two entries in the aros table the > same alias. In fact, I wonder if the reliance on aliases is precisely > to allow this to happen more easily? > > Although, I could imagine this causing problems with the AclBehavior. > > On Feb 11, 4:41 pm, "[EMAIL PROTECTED]" > > <[EMAIL PROTECTED]> wrote: > > BTW, i was thinking the other day at solutions around this and thought > > to duplicate the aro of a user for each group the user is in, and mark > > this in the alias somehow. Then retrieve all the rights for all the > > AROs of the user and try to solve conflicts between them. Since the > > user is usually in few groups i think this is doable. I could even > > write a new ACL behavior to do the duplication job for me. > > What do you guys think? Does it worth trying? > > > On Feb 12, 2:21 am, "[EMAIL PROTECTED]" > > > <[EMAIL PROTECTED]> wrote: > > > Interesting what you're saying. It's true that by carefully nesting > > > groups you can solve a lot of cases but this leads to creating many > > > groups that their only purpose is to nest other groups. I know that > > > It's also true that solving conflicts in a "user in many groups" > > > system would probably require as much effort, but even so... i wish i > > > would know what nate's referring to, when he's saying that "This is > > > technically possible with the new 1.2 ACL system" (in > > > here:https://trac.cakephp.org/ticket/2191) > > > > On Feb 12, 1:35 am, aranworld <[EMAIL PROTECTED]> wrote: > > > > > You are right. A user can only have one parent. But that user does > > > > not necessarily have to have the exact same permissions as it's > > > > parent. > > > > > If you have a user in the "car mechanic" group, but this person also > > > > has experience fixing bicycle tires, you could give that person -- and > > > > that person only -- access to the BicycleTire controller, which is > > > > otherwise only available to those in the "bike mechanic" group. > > > > > You can, of course, also nest groups. So if you want to give bike > > > > mechanics access to only bikes, but car mechanics access to bikes and > > > > cars, you could make bike mechanics the parent of car mechanics. In > > > > this case, car mechanics will inherit all from bikes (their parent), > > > > but then you can assign whatever extra permissions you want to the car > > > > mechanics without having those permissions applied to bike mechanics. > > > > However, if you have a car mechanic who knows nothing about bikes, you > > > > can then revoke all his permissions to bicycles, but keep him in the > > > > car mechanic group. > > > > > On Feb 10, 10:35 pm, "[EMAIL PROTECTED]" > > > > > <[EMAIL PROTECTED]> wrote: > > > > > Can the current ACL system be used for this situation: the requester > > > > > (user) can have multiple parents (groups) ? From what i see the > > > > > inheritance in aros is 1:1 for now. What do you guys use? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
