开发者

Can ACL allow all, but deny for one?

I've inherited an app that makes heavy use of Cake's ACL -- a component I've never used -- and is configured such that 3 group AROs have access to an entire controller. ACOs exist for each action in the controller, but no permissions are explicitly assigned at the action level.

I've now run into a situation where I need one group to ha开发者_开发百科ve access to one particular method, but I need to deny it for the other 2 groups. Is there any way to, rather than explicitly assigning permissions for each group to each action, simply indicate that the 2 groups do not have permissions to the one action in question?

Essentially, I want to keep the current "access to everything" default, but override that with a "deny for [this particular action]". I've tried cake bake acl deny GroupName ControllerName actionName, but that doesn't seem to have any impact.

By way of a fairly ubiquitous analogy, I'd like this to behave like Apache's AllowOverride. By default, allow everything to everyone, but deny a given action to a given group. I'm not sure whether that's helpful, but there it is.

Thanks.


This command will grant all your AROs access to your ACOs cake acl grant RootGroupName RootControllerName all.

Thereafter you can specify the particular actions you would like to deny access to: cake acl deny GroupName ControllerName|AcoActionName AcoActionName|permissions

If your second value after deny was an AcoActionName you would have to use one of the following values for permissions: all, create, read, update, delete.

A small tangent:

This is where I believe the confusion may lie. The structure of your ACL [ACOs and AROs] are simply names of nodes that generally match the structure of your controller/action setup, but can be called any name your would like since the permissions are checked in each action. CakePHP ACLs organized in a Tree (data structure) and the external nodes can have database level CRUD permissions set.

Here is a sample ACL schema for users and comments.

Aco tree:
---------------------------------------------------------------
  [1] controllers (root node)
    [2] Comments
      [3] edit
      [4] add
      [5] delete
---------------------------------------------------------------

Aro tree:
---------------------------------------------------------------
  [1] Groups (root node)
    [2] Users
    [3] Admin

---------------------------------------------------------------

Assuming access has been granted globally, all Requestors have access to all Objects. If you would like to deny Users from being able to edit comments once they have submitted them you would run cake acl deny Users Comments edit

Here is a great tutorial on ACLs, particularly the App_Controller code at the end which has a nice snippet that checks permissions for an ACO structure that matches controller/action: User Permissions and CakePHP ACL.

Additionally, the CakePHP Book has a nice snippet to insert all your controller/actions as ACO rules: An Automatic Tool for Creating ACOs

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜