To answer your first question: give everyone access to every post by not checking to see who owns it in the Controller::index() and Controller::view() methods. Give only the post's writer the ability to edit/delete the post by checking first to see who owns it in the Controller::edit() and Controller::delete() methods. With the aforementioned WhoDidIt behavior we're talking about only one additional line of controller code plus one additional condition:
$user = $this->Session->Read('Auth.User.id');
...so in the Controller::delete() function (for example):
function delete($id = null) {
if (!$id) {
$this->Session->setFlash(__('Invalid id for Post'));
$this->redirect(array('action'=>'index'));
}
$user = $this->Session->Read('Auth.User.id'); // Only allow deletes from user's own records
if ($this->Post->field('created_by', array('id' => $id)) == $user && $this->Post->delete($id)) {
$this->Session->setFlash(__('Post deleted'));
}
$this->Session->setFlash(__('Post was not deleted'));
}
To answer your second question: same idea. Check that the manager logged in has access to the controller function on that hotel in the appropriate controller function.
-Rob
On Monday, December 24, 2012 6:12:02 PM UTC-5, Paulo Braga wrote:
-- On Monday, December 24, 2012 6:12:02 PM UTC-5, Paulo Braga wrote:
Hi Rob. Thanks for your answer, the behavior is very interesting.
I think I did not express myself well, I dont want just to set that a user has only access to the posts he created.
I want also to configure for example:
We have hotels around a country from the same organization, so in each city there's a manager, and I want a manager to manage just the hotels in his city. but this hotels can be created by another user(admin), is it possible? I did it with isAuthorized() method, but it requires a lot of "code (ugly code)° :p
Paulo
On Monday, December 24, 2012 3:08:31 PM UTC+2, Rob M wrote:Hi Paulo: You are describing row-level access control, and I am doing that with CakePHP 2.0 using a modified version of Daniel Vecchiato's WhoDidIt Model Behavior (https://github.com/danfreak/4cakephp/tree/master/models/ ). Then I check in the controller to see if the id in the table for the person who created the record matches the id of the person who is trying to modify it. - Robbehaviors
On Sunday, December 23, 2012 4:01:28 PM UTC-5, Paulo Braga wrote:Hi people.
I am using cakephp 2.x, and I am trying to build a system with group permissions, ok, I used Acl and Auth component without problem.
Now I want to configure access to specific data. for example:
we have a blog app, and we have users, posts, etc.
an admin can do anything(no problems);
a post is posted by a user. (some problems here);
With acl I configured that admin group can do anything. and that user group can just do anything in posts(add, list, edit, delete). everything is working.
But I dont want a user to edit,delete,list posts that were not created by him.
I used to do it with the method isAuthorized(), but imagining a big app, I think it will be too hard to codify it.
is there a "clean" way to do it???
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com.
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en.
No comments:
Post a Comment