Sunday, October 3, 2010

Model based ACL simply doesn't work

How many years has cake been advertising ACL as the cat's pajamas now?

Year after year I try using ACL in some useful fashion only to come up
dry every single time. This time I thought for sure it was going to
sparkle. The grand tutorial and the new 1.3 version of cake had me
quite optimistic.

Well it works for controllers and actions but not for models. Whole
lot of good that is. There is no way now to use ACL to ensure that a
person from group B doesn't modify a record belonging to group A or
see a record that they shouldn't see. Why do I say this? Because I
have acl running on an installation right now and I can see plain as
day in the cake query list at the bottom of every page that it's
looking for controllers, not models. I even put $this->Auth-
>authorize = 'crud'; in there, which surprise surprise is NOT
DOCUMENTED on the 1.3 docs for ACL. Maybe it's deprecated from 1.2?
Well if so, how the hell do I invoke CRUD mode???? Because with or
without it, ACL insists on looking for controllers and actions.

So, it's back to coding a check for that by hand in every action in
every controller. And don't even get me started on the multi-
dimensional inabilities Cake's ACL has suffered from since day 1. I
tried filing a bug for this way back in the day and it got rejected as
working the way it should.

Someone over there obviously doesn't get that people often work in
more than one group and that ACOs may also belong to more than one
group. The very RAISON DE ETRE for ACL is to be able to have that
kind of infinitely extensible multi-dimensional hierarchical goodness
and it continues to fail at delivering on that promise. Oh, sorry,
it's not actually a promise because "it's working the way it should."

The limitations of ACL need to be documented far more than anything
else. Right now it's being sold as a panacea that if you only spend
enough time working with, eventually you get it working for you and
the world of permissions is your Oyster. But that's not the case.

And what's the point of defining CRUD controls on actions anyway?

Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.

You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)