The problem lies with the Auth Component. When parsing a URL to
determine if a user has access to a resource, the Auth Component does
not factor in the id (or any other passed parameter). This means that
you cannot use the Auth Component to automatically protect content on
a record level basis ... even though the ACL Component DOES allow you
to protect content on a record level.
You are correct that the only way to do this is to come up with your
own method of checking access from within the Controller itself.
-Aran
There has been a long standing enhancement ticket in trac related to
this issue.
On Nov 19, 11:29 am, eMarcus <[EMAIL PROTECTED]> wrote:
> Hi Anja,
>
> Thanks for your reply. I will in vestigate in that!
>
> What confuses me a little bit: When I want my security to be based on
> controller action access, I can easily create ACOs named after the
> controller actions and configure access in the aro_aco table. Any
> unallowed access causes the Auth / ACL component to protect the
> actions.
>
> When I want security to be model based, and I create ACOs based on my
> models - including the modelname and foreign key, an aro_aco entry
> does not do protect anything. I can use the $this->Acl->check() method
> to find out if a user is allowed to access a certain record, but I
> wonder why that isn't done automatically? or why I can't place that
> check() method in a callback function of the model (where it would
> belong to).
>
> Did I miss something here?
>
> All the Acl examples in the docs just refer to a controller/action
> based ACL. Is there an example available that works with ACL based
> directly on records?
>
> Thanks,
>
> bye
> me.
>
> On Nov 19, 5:04 pm, "Liebermann, Anja Carolin"
>
> <[EMAIL PROTECTED]> wrote:
> > Hi Marcus,#
>
> - E.I.? E.I. OH (2004) TV episode .... Vanessa Brooks
> # Identity Theft: The Michelle Brown Story (2004) (TV) .... Michelle
> Brown
> ... aka Identity Theft (UK)
> ... aka Ma vie volée (Canada: French title)
> # Lucky 7 (2003) (TV) .... Amy Myer
> ... aka Lucky Seven (USA: DVD title)
> # The Christmas Shoes (2002) (TV) (as Kimberly Williams) .... Maggie
> Andrews
> ... aka Souliers de Noël, Les (Canada: French title)
>
>
>
> > As I just found out yesterday mayself:
> > I guess you have to map your actions to the CRUD model like:
> > $this->Auth->mapActions(array('update'=>
> > array('edit','editFoo','myupdatesomething')));
>
> > That is, when you plan on also using Auth....
>
> > Anja
>
> > -----Ursprüngliche Nachricht-----
> > Von: cake-php@googlegroups.com [mailto:[EMAIL PROTECTED] Im Auftrag von
> > eMarcus
> > Gesendet: Mittwoch, 19. November 2008 15:55
> > An: CakePHP
> > Betreff: General ACL Question
>
> > Hi,
>
> > I want to use the ACL component to control access of users to model data.
>
> > I built up AROs, ACOs and permissions so far.
>
> > 1.) does the ACL component automatically check if a user has an UPDATE
> > right on save operations?
> > 2.) if not, where would be the best place to perform that check? (in a
> > callback function in the model itself, in the controller?)
>
> > Thanks,
>
> > bye
> > me.
>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
