Thursday, January 28, 2010

Acl action based authentication

This is my first round with ACL's. I'm going off of the cakephp book and
this
(http://komunitasweb.com/2009/03/cakephp-acl-tutorial-what-and-how/)
tutorial... I have my aco's and aro's setup. My access control objects
are:
Aco tree:
---------------------------------------------------------------
[1]controllers

[2]Coupons

[4]add

[5]edit

[6]index

[3]Users

[7]edit

[8]index

---------------------------------------------------------------

I'm using a Users/Groups setup for my aro's and they look like this:
Aro tree:
---------------------------------------------------------------
[3]Group.1

[4]Group.2

[5]User.1

---------------------------------------------------------------

Group.1 is admins and Group.2 are regular users. I have run the
following to setup my permissions:
./cake/console/cake acl deny Group.2 Users all
./cake/console/cake acl grant Group.2 Users edit
./cake/console/cake acl grant Group.2 Users index
And I get the appropriate 'permission denied' and 'permission granted'
messages.

My problem is if I attempt to access /users/index or /users/edit as
User.1 I get redirected back to the home page (Which I'm taking to mean
access denied)... The weird thing is that if I run:
./cake/console/cake acl check Group.2 Users edit
I get this error message:
Notice: ACO permissions key edit does not exist in DbAcl::check()
in /var/www/militaryhomes/cake/libs/controller/components/acl.php on
line 252
Array is not allowed.

But if I run:
./cake/console/cake acl check Group.2 Users all
I get a message saying array is not allowed which is expected.

I'm assuming there is some thing wrong with my grant statements but I
can't see what it is, I've tried a couple of different combinations and
nothing seems to work unless I grant Group.2 permission to 'Users all',
but that means Group.2 can access all the controllers actions, not just
the ones I want.

Any help or explanations as to whats is going on is highly appreciated.

PS: $this->Auth->authorize = 'actions';


Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.

You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en

No comments: