All geek questions in one place

CakePHP ACL: Does Base Group / ARO Required

I am implementing an ACL component for my CakePHP application (1.3.14). I have everything set up correctly, but there are several areas where I am still fuzzy.

Basically, do you need to explicitly specify the rights (ACOs) for a special group of basic users (ARO)?

For simplicity, let's say I have Administrators, and then everyone else (general users). So I need to create a group for these shared users and display all the rights to their rights? It seems that managing these rights never ends as the application grows.

Also, what about assigning users to multiple groups?

Ideally, if a person had a user account, the Auth component would provide access to the system as a whole. Then, the ACLs will simply undo them from partitions that were protected by the existing group.

It seems that the mix of ACL and Auth is too big. But this may be my new (limited) understanding. Any clarification would be greatly appreciated.

UPDATE

I started generosity. In general, I want to implement CakePHP ACL (preferably, but a suitable third-party component is acceptable), which matches / addresses the following:

  • Assign users to multiple groups
  • It’s easy to maintain a β€œpublic” user group - you don’t need to constantly add controllers / actions that a regular user can access.
  • Sample access control code for the controller / access
  • The sample user test code belongs to the group.
+4
source share
2 answers

I think the best you can hope for using Cake native ACL implementation is as follows:

cake acl create aro root public cake acl create aro root registered cake acl create aro registered administrators (create acos using AclExtras) cake acl grant registered controllers cake acl grant public controllers cake acl deny public controllers/MySecureController cake acl deny public controllers/Widgets update cake acl deny public controllers/Widgets delete

(above everything is done through the shell of the cake, but it is easily translated into a version of PHP)

Basically, you can use the default paradigm (as shown in the Cake tutorial on your own ACL) or the default paradigm as described above. Whichever method you choose will depend on how you expect the application to grow: whether most of your controllers will be publicly available with only a few select, restricted administrators, or whether most of your application will be limited to public specific access where it is is it necessary? In any case, you still need to grant or deny access.

Note the two AROs created in root : public and registered . Using this model, process the registered one as if it were root when creating your ARO tree - put all your "real user" groups under it. Thus, you can use the ACL as usual for objects under the registered , and public users will exist outside this.

All that said, nothing prevents you from using Cake authentication mechanism and minimizing your own access control method. Here is an example: Simple authentication and authorization . (NOTE: This is written for CakePHP 2.0, but concepts also apply to 1.3).

EDIT -

After reading the question and other answers again, I realized that you are more focused on the role-based access control model, rather than on the traditional model of the built-in ACL component for each user. Here are some examples of the auth built-in extension for RBAC:

Role Based ACLs in CakePHP

CakePHP Auth Component: Users, Groups, Permissions

In addition, this two-part article describes a database-based role-based authorization approach that can be applied to your Cake application.

+5
source

You can have tree ACOs and tree AROs. In the AROs tree you will have adminsGroup <-usersGroup. You will need to set permissions for these groups. In the ACOs tree, you will have baseACO <-subACO <-treeOfACOsForUsers. You do not need to support any new ACOs if: 1) user groups are allowed to use subACO, 2) any new ACO is a child of subACO. The idea is to organize a tree of ACOs, so if you allow access to the parent, all children can be accessed automatically. You also have a denied thread. Therefore, you will need to maintain (by assigning permissions) only a few branches located closer to the root.

You may be interested in looking at my PoundCake control panel , a plugin that implements ACLs with a user-friendly web interface (CakePHP v1.3 supported).

UPDATE:

Here you need what you need.

+3
source

Source: https://habr.com/ru/post/1390682/

More articles:


All Articles