I'm also running into this problem and trying to come up with workarounds.
I posted one idea at http://groups.google.com/group/cake-php/browse_thread/thread/b91681a12ecf35ee This is I think similar to your idea Christian in that it attempts to make the parentID more dynamic. My thought was that since parentID is a function to be implemented in the model (in 1.2) it could be programmed to return different parentIDs depending on where you are in the site. The parentID for a user is then no longer necessarily that which is in the ARO table, but might change (obviously you would have to define this elsewhere or according to logic in the code) Ben On Feb 12, 7:59 pm, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > OK, so it doesn't seem to work. I added several AROs with the same > alias ('User:1' for example) but with different parents, then I set > the rights on these parent (user groups) to contradictory rights over > an ACO. I then checked for the user's rights on the aco. I noticed > that there are queries performed for each parent so it is getting all > the rights, then it solves conflicts by picking the allow rule (which > is kind of weird but anyway). The problem comes when i add a deny rule > directly on the user. It sets the rule on the last created aro with > alias User:1 but check seems to ignore it's deny and still says I'm > allowed. > However i think it's a start. With a custom DB_ACL class i think i can > make this work. I'm just wondering if I should do this or write my own > acl that fits my needs better. > > On Feb 12, 6:17 am, aranworld <[EMAIL PROTECTED]> wrote: > > > Have you tried to just add one user to two groups in the console app > > and see what happens? > > > I have just been reading through the check() function in cake\libs > > \controller\components\acl.php [DB_ACL]. I'm not 100% sure, but based > > on Nate's response above, I have a feeling that this is setup to > > actually work already. Just give two entries in the aros table the > > same alias. In fact, I wonder if the reliance on aliases is precisely > > to allow this to happen more easily? > > > Although, I could imagine this causing problems with the AclBehavior. > > > On Feb 11, 4:41 pm, "[EMAIL PROTECTED]" > > > <[EMAIL PROTECTED]> wrote: > > > BTW, i was thinking the other day at solutions around this and thought > > > to duplicate the aro of a user for each group the user is in, and mark > > > this in the alias somehow. Then retrieve all the rights for all the > > > AROs of the user and try to solve conflicts between them. Since the > > > user is usually in few groups i think this is doable. I could even > > > write a new ACL behavior to do the duplication job for me. > > > What do you guys think? Does it worth trying? > > > > On Feb 12, 2:21 am, "[EMAIL PROTECTED]" > > > > <[EMAIL PROTECTED]> wrote: > > > > Interesting what you're saying. It's true that by carefully nesting > > > > groups you can solve a lot of cases but this leads to creating many > > > > groups that their only purpose is to nest other groups. I know that > > > > It's also true that solving conflicts in a "user in many groups" > > > > system would probably require as much effort, but even so... i wish i > > > > would know what nate's referring to, when he's saying that "This is > > > > technically possible with the new 1.2 ACL system" (in > > > > here:https://trac.cakephp.org/ticket/2191) > > > > > On Feb 12, 1:35 am, aranworld <[EMAIL PROTECTED]> wrote: > > > > > > You are right. A user can only have one parent. But that user does > > > > > not necessarily have to have the exact same permissions as it's > > > > > parent. > > > > > > If you have a user in the "car mechanic" group, but this person also > > > > > has experience fixing bicycle tires, you could give that person -- and > > > > > that person only -- access to the BicycleTire controller, which is > > > > > otherwise only available to those in the "bike mechanic" group. > > > > > > You can, of course, also nest groups. So if you want to give bike > > > > > mechanics access to only bikes, but car mechanics access to bikes and > > > > > cars, you could make bike mechanics the parent of car mechanics. In > > > > > this case, car mechanics will inherit all from bikes (their parent), > > > > > but then you can assign whatever extra permissions you want to the car > > > > > mechanics without having those permissions applied to bike mechanics. > > > > > However, if you have a car mechanic who knows nothing about bikes, you > > > > > can then revoke all his permissions to bicycles, but keep him in the > > > > > car mechanic group. > > > > > > On Feb 10, 10:35 pm, "[EMAIL PROTECTED]" > > > > > > <[EMAIL PROTECTED]> wrote: > > > > > > Can the current ACL system be used for this situation: the requester > > > > > > (user) can have multiple parents (groups) ? From what i see the > > > > > > inheritance in aros is 1:1 for now. What do you guys use? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
