Not exactly sure if you just asking how to hide specific elements or restrict who can edit what.
For the former, I would suggest you filter the list in the controller to create separate "editable" "viewable" arrays that you can use in the controller. This would both remove your repeated logic (that's what the controllers is for!) and would also therefore mean changes wouldn't have to be repeated (or forgotten about) in each instance in each view....
For the latter, In my opinion this is probably best solved with separate views and controller methods for each role, after all it is this type of privilege restriction for which prefix routing was primarily designed for.
On Monday, 7 May 2012 00:58:42 UTC+1, bs28723 wrote:
-- Whilst your current solution restricts what form fields are visible, it is still trivial for a user (of any privilege) to create requests you are trying to restrict, for example posting to "/users/delete/1", the requests are still possible, you are just hiding them. It if for this reason that it would be necessary to perform the same type of role filtering in the controller, are you also doing this? (Note: The CSRF protection that is optionally implemented by the security component would black hole requests such as in my example, relying on this would require you to ensure all controllers are using the security component and that anything you are restricting requires a POST/PUT/DELETE (Read: not GET))
By the time you have typed out all this access filtering, both view and controller, and made sure security component is always included in every controller from now to the end of time, you may well find that the duplication required by prefix routing may well be a justifiable option. Additionally, I would probably say this approach would cultivate a more secure and restrictive approach to your app design which is likely to lead to a more robust setup in the end.
Hope this answers your question.
Thom
On Monday, 7 May 2012 00:58:42 UTC+1, bs28723 wrote:
There should be a better way than what I am doing right now......
I have a set of 3 default Roles (Owner, Admin, Member). users can add,
delete, modify the Roles, except the 3 Default Roles.
If I create views like "edit", then all the fields in the Role table, go
into a Form and are editable.
So, now, in the edit.ctp, I am comparing the name to see if I want to
make it editable.
if (in_array($this->request->data['name'], array('owner',
'admin','member'))) {
echo $this->Form->label('Role.name', 'Role:
'.$this->request->data['name']);
} else {
echo $this->Form->input('Role.name');
}
I have several things like this that are either displayed (not editable)
or editable depending on the role or permissions of the user. I don't
want to create different controller functions and different views for
each variation. But, I am also not sure that passing a bunch of
information to views and have them make the decision is right either.
Anyone have any suggestions?
Thanks,
bill
View this message in context: How to avoid extra php code in views
Sent from the CakePHP mailing list archive at Nabble.com.
Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
No comments:
Post a Comment