CakePHP ACL - How to get Group-only permissions?

I just want group only permissions - I don't need user based permissions. The cake 1.3 manual (http://book.cakephp.org/view/1646/x11-2-4-1-Group-only-ACL) says:

In case we want simplified per-group only permissions, we need to implement bindNode() in User model.

function bindNode($user) {
    return array('Group' => array('id' => $user['User']['group_id']));
}

This method will tell ACL to skip checking User Aro's and to check only Group Aro's.

However when I add groups and users via the baked controllers I still end up with an AROs table with nested groups/users for user-based permissions. I expected the AROs table to look like this (because the manual says this is what it will look like):

+----+-----------+-------+-------------+-------+------+------+
| id | parent_id | model | foreign_key | alias | lft  | rght |
+----+-----------+-------+-------------+-------+------+------+
|  1 |      NULL | Group |           1 | NULL  |    1 |    2 |
|  2 |      NULL | Group |           2 | NULL  |    3 |    4 |
|  3 |      NULL | Group |           3 | NULL  |    5 |    6 |
+----+-----------+-------+-------------+-------+------+------+

But instead is looks like this:

+----+-----------+-------+-------------+-------+------+------+
| id | parent_id | model | foreign_key | alias | lft  | rght |
+----+-----------+-------+-------------+-------+------+------+
|  1 |  开发者_如何学运维    NULL | Group |           1 | NULL  |    1 |    4 |
|  2 |      NULL | Group |           2 | NULL  |    5 |    8 |
|  3 |      NULL | Group |           3 | NULL  |    9 |   12 |
|  4 |         1 | User  |           1 | NULL  |    2 |    3 |
|  5 |         2 | User  |           2 | NULL  |    6 |    7 |
|  6 |         3 | User  |           3 | NULL  |   10 |   11 |
+----+-----------+-------+-------------+-------+------+------+

Here is my user model:

class User extends AppModel {
    var $name = 'User';

    var $actsAs = array('Acl' => array('type' => 'requester'));

    var $hasMany = array(
        'Post' => array(
            'className' => 'Post',
            'foreignKey' => 'user_id'
        )
    );
    var $belongsTo = array(
        'Group' => array(
            'className' => 'Group',
            'foreignKey' => 'group_id'
        )
    );

    /**
     *
     * In case we want simplified per-group only permissions
     * see http://book.cakephp.org/view/1547/Acts-As-a-Requester
     * @param unknown_type $user
     */
    function bindNode($user) {
        return array('Group' => array('id' => $user['User']['group_id']));
    }

    function parentNode() {
        if (!$this->id && empty($this->data)) {
            return null;
        }
        if (isset($this->data['User']['group_id'])) {
        $groupId = $this->data['User']['group_id'];
        } else {
            $groupId = $this->field('group_id');
        }
        if (!$groupId) {
        return null;
        } else {
            return array('Group' => array('id' => $groupId));
        }
    }
}

Well. I assume you have an Groups model/table as well, which also contains

var $actsAs = array('Acl' => array('type' => 'requester'));

This is the reason why your ARO table contains both instances. Bind let's you change the the node of the ARO tree to which a particular model is assigned. The solution described in the documentation means that if you check your model using ACL->check() it then uses the newly bound ARO node.

You are also assigning the group id in the parent node for the User model, which is you ARO tree is constructed the way it is. I assume that in order to realize your solution just remove the acts_as and parent_node declaration in your user model.

To check for permissions you then can simply use your User model.

Hope that this clears up things a bit. I just started getting into ACL so, i might have misunderstood something in the bind behaviour. You can see if that helps.

The problem is that you still contain the old information on the database.

If you empty all the tables, including the aros, acos and aros_acos, and add create the groups and the users again you will obtain the documented output.

I have never used that method, but the concept of a group without any users seems meaningless. Cake uses the user and group information to decide who belongs to which group so that it can apply the appropriate group permissions.

Looking at 'the Book', though, your users must have a group_id set:

"Every user has to have assigned group_id for this to work."

CREATE TABLE users (
    id INT(11) NOT NULL AUTO_INCREMENT PRIMARY KEY,
    username VARCHAR(255) NOT NULL UNIQUE,
    password CHAR(40) NOT NULL,
    group_id INT(11) NOT NULL,
    created DATETIME,
    modified DATETIME
);

In my applications, which don't use bindNode, I set the permissions only by group and it works fine.