Another ACL issue (nested ACOs)

Hello,

I'm developing a quite simple projest and want to use ACL on it. I've set up authentication process but have problems with authorization against CRUD.
Here is the Auth component settings in my AppController.php:

        'Auth' => array(
            'loginAction' => array('controller' => 'users', 'action' => 'login'),
            'loginRedirect' => array('controller' => 'pages', 'action'=> 'display', 'home'),
            'loginError' => 'Invalid login',
            'authError' => 'Unauthorized access',
            'flash' => array('key' => 'flash', 'element' => 'default'),
            'userScope' => array('User.active = 1'),
            'authenticate' => array(
                'Form',
            ),
            'authorize' => array(
                'Crud' => array(
                    'actionPath' => 'Application/')
            )
        )

And here is my (simplified) ACO tree:

  [18] Application
    [64] Comments
    [82] ReadOnly
      [52] Statuses

Permissions are as follows
:
                _create    _read    _update    _delete
Application    1            1            1            -1
ReadOnly       -1          1            -1            -1

I expect that Stauses as ReadOnly successor are going to be "readable", but when going on "/Statuses/read", ACL error occurs:"Failed ARO/ACO node lookup in permissions check". I looked the sql queries that ACL component produces and here is a sample:

SELECT `Aco`.`id`, `Aco`.`parent_id`, `Aco`.`model`, `Aco`.`foreign_key`, `Aco`.`alias` FROM `Base`.`acos` AS `Aco` LEFT JOIN `Base`.`acos` AS `Aco0` ON (`Aco0`.`alias` = 'Application') LEFT JOIN `Base`.`acos` AS `Aco1` ON (`Aco1`.`lft` > `Aco0`.`lft` AND `Aco1`.`rght` < `Aco0`.`rght` AND `Aco1`.`alias` = 'Statuses' AND `Aco0`.`id` = `Aco1`.`parent_id`)  WHERE ((`Aco`.`lft` <= `Aco0`.`lft` AND `Aco`.`rght` >= `Aco0`.`rght`) OR (`Aco`.`lft` <= `Aco1`.`lft` AND `Aco`.`rght` >= `Aco1`.`rght`))   ORDER BY `Aco`.`lft` DESC;

That query returns a single row "Application" not finding "Statuses" because they are not "Application" direct successors.

Cake acl shell works fine though:

cake acl check Employees Statuses read

Welcome to CakePHP v2.1.3 Console
---------------------------------------------------------------
App : base
Path: /home/senser/taxundo/base/
---------------------------------------------------------------
Employees is allowed.

Sql queries produced from the the shell are quite different:

SELECT `Aco`.`id`, `Aco`.`parent_id`, `Aco`.`model`, `Aco`.`foreign_key`, `Aco`.`alias` FROM `Base`.`acos` AS `Aco` LEFT JOIN `Base`.`acos` AS `Aco0` ON (`Aco0`.`alias` = 'Statuses')  WHERE `Aco`.`lft` <= `Aco0`.`lft` AND `Aco`.`rght` >= `Aco0`.`rght`   ORDER BY `Aco`.`lft` DESC

SELECT `Permission`.`id`, `Permission`.`aro_id`, `Permission`.`aco_id`, `Permission`.`_create`, `Permission`.`_read`, `Permission`.`_update`, `Permission`.`_delete`, `Aro`.`id`, `Aro`.`parent_id`, `Aro`.`model`, `Aro`.`foreign_key`, `Aro`.`alias`, `Aro`.`lft`, `Aro`.`rght`, `Aco`.`id`, `Aco`.`parent_id`, `Aco`.`model`, `Aco`.`foreign_key`, `Aco`.`alias`, `Aco`.`lft`, `Aco`.`rght` FROM `Base`.`aros_acos` AS `Permission` LEFT JOIN `Base`.`aros` AS `Aro` ON (`Permission`.`aro_id` = `Aro`.`id`) LEFT JOIN `Base`.`acos` AS `Aco` ON (`Permission`.`aco_id` = `Aco`.`id`)  WHERE `Permission`.`aro_id` = 1 AND `Permission`.`aco_id` IN (71, 82, 18)   ORDER BY `Aco`.`lft` desc

Can you help please - am I doing something wrong or may be misunderstanding?

Regards,
Nikolay

--
Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions.
 
 
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php