You can add this to your UsersController:
function __checkUsersOwnRecord($recordId = null) {
if( $this->Auth->user('id') == $recordId ){
return TRUE;
} else {
return FALSE;
}
}
Give all users access to users/edit ... however, before you do any
edit functionality first check that the logged in user is the same
user as the record being edited.
The basic answer is that since the Auth Component does not look at the
record ID when it verifies access, then you cannot rely on it to
automatically handle record level access, and you therefore have to
create such logic on your own.
On Aug 12, 5:02 am, [EMAIL PROTECTED] wrote:
> I have the same problem, but let us take a look to the debug messages:
> (we say that user model must behave as "requester", and in the model
> it's written
> var $actsAs = array('Acl' => array('type'=>'requester'));
> )
> So the debug is
>
> SELECT `Aro`.`id`, `Aro`.`parent_id`, `Aro`.`model`,
> `Aro`.`foreign_key`, `Aro`.`alias` FROM `aros` AS `Aro` LEFT JOIN
> `aros` AS `Aro0` ON (`Aro`.`lft` <= `Aro0`.`lft` AND `Aro`.`rght` >=
> `Aro0`.`rght`) WHERE `Aro0`.`model` = 'User' AND `Aro0`.`foreign_key`
> = 29 ORDER BY `Aro`.`lft` DESC
>
> here 29 is id of the user requesting some permissions
> ok, works perfectly
>
> then
>
> SELECT `Aco`.`id`, `Aco`.`parent_id`, `Aco`.`model`,
> `Aco`.`foreign_key`, `Aco`.`alias` FROM `acos` AS `Aco` LEFT JOIN
> `acos` AS `Aco0` ON (`Aco0`.`alias` = 'Users') WHERE `Aco`.`lft` <=
> `Aco0`.`lft` AND `Aco`.`rght` >= `Aco0`.`rght` ORDER BY `Aco`.`lft`
> DESC
>
> Here you see `Aco0`.`alias` = 'Users'!!! but it's not true, i do not
> want to request permissions on the whole users group, i'm interested
> only in
> aco with alias, say, User::29, or, i would say it must be better, in
> aco with foreign_key=29
>
> so then as a consequence we have
>
> SELECT `Permission`.`id`, `Permission`.`aro_id`,
> `Permission`.`aco_id`, `Permission`.`_create`, `Permission`.`_read`,
> `Permission`.`_update`, `Permission`.`_delete`, `Aro`.`id`,
> `Aro`.`parent_id`, `Aro`.`model`, `Aro`.`foreign_key`, `Aro`.`alias`,
> `Aro`.`lft`, `Aro`.`rght`, `Aco`.`id`, `Aco`.`parent_id`,
> `Aco`.`model`, `Aco`.`foreign_key`, `Aco`.`alias`, `Aco`.`lft`,
> `Aco`.`rght` FROM `aros_acos` AS `Permission` LEFT JOIN `aros` AS
> `Aro` ON (`Permission`.`aro_id` = `Aro`.`id`) LEFT JOIN `acos` AS
> `Aco` ON (`Permission`.`aco_id` = `Aco`.`id`) WHERE
> `Permission`.`aro_id` = 5 AND `Permission`.`aco_id` = (1) ORDER BY
> `Aco`.`lft` desc
>
> where we have correct aro_id and incorrect aco_id
>
> so it seems User model must behave as a "requester" and as a
> "controlled", but you cannot define such a behaviour (at least i don't
> know how)
>
> reasonable solutions are to check permissions in such a situations
> yourself (but i cannot switch off auto check!), to define additional
> model like profile or to make some correction in some cake files
> (still don't know where)
>
> any suggestions?
>
> On Aug 8, 6:31 am, KoPanda <[EMAIL PROTECTED]> wrote:
>
> > Yes, I'm using "crud" mode in Auth. The Aro and Aco trees are like
> > this.
>
> > Aro
>
> > users
> > |- user1
> > |- user2
> > |- administrators
> > |----- admin
>
> > Aco
>
> > Site
> > |- Users
> > |-----user1
> > |-----user2
>
> > The permissions were setup like this,
>
> > cakeaclgrant administrator Site *
> > cakeaclgrant users Site read
>
> > And then in the register() action after saving the user data,
>
> > // User model is define with $actAs = array('Acl' => 'requester') so
> > the Aro is automatically handled
> > // some code to create the aco and set the $alias to the username
> > $this->Acl->allow($alias, $alias, array('read','update'));
>
> > For example, ARO user1 would have "read" and "update" permission to
> > ACO user1. I suppose Auth would check through the tree and see if ARO
> > user1 can update ACO user1 and then allow edit() action when I do /
> > users/edit/5 (suppose user1 has id:5). But that's not the case. It
> > kicks me back to /users/view/5, as ARO user1 has "read" permission to
> > ACO Users. If I want to make /users/edit/5 runs as I wish, I have to
> > grant "update" permission to Users controller, which eventually let
> > all users to edit any records of other users.
>
> > Well, I know I can do an extra check() in edit() action and see if the
> > current user has update permission to the record but I don't
> > understand why the Auth component acts like this. Is my approach
> > wrong? OrAcland Auth are not supposed to do the work like this?
>
> > On Aug 8, 2:29 am, francky06l <[EMAIL PROTECTED]> wrote:
>
> > > You have to set (or use) the right mode to Auth, in this case "model"
> > > or "crud".
>
> > > On Aug 7, 12:02 pm, KoPanda <[EMAIL PROTECTED]> wrote:
>
> > > > I'm trying to develop a community website usingcrudmode on Auth
> > > > component. User profiles can be viewed by all users while only be
> > > > edited by the profile owner and administrator. I followed anAcl
> > > > tutorial from Bakery
>
> > > >http://bakery.cakephp.org/articles/view/how-to-use-acl-in-1-2-x
>
> > > > to setup theAcl, create user alias in aco and aro under Users, and
> > > > allow 'read' and 'update' permission to the aco. However, Auth
> > > > component doesn't check the permission in the record. It only checks
> > > > if Users controller in aco can be updated. It won't let a normal user
> > > > to edit his own user profile. If I allow users to update Users, normal
> > > > users can run edit() on all user profile.
>
> > > > Why is that? In the understanding, Auth should check the permissions
> > > > from theAclroot to all the leaves. Why it stops checking when the
> > > > controller won't let it to update while the actual record is set with
> > > > 'update'? Or is there any other suggestedAclmodel for my situation?
>
> > > > Thanks!
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
