The way I've done this is define the ACOs to be roles and check the user's
access to the required role with Acl->check. That way you can have multiple
roles in a tree-structure and the access checks are super simple. There are
drawbacks though: which role is required for each action is hardcoded, which
is a problem if you want to rename a role or completely change its meaning.
This way it's also fairly simple to give the users access only to certain
records or areas, like you could allow adding content to a section only
to general content developers and to the content developer who is the
"owner" of the section:
// in beforeFilter
$this->Auth->authorize = 'controller';
function isAuthorized() {
$userId = $this->Auth->user('id');
$aro = array('model' => 'User', 'foreign_key' => $userId);
switch ($this->action) {
case 'view': return true; // allow everyone
case 'add': // allow general content developers and section owners
$aco = 'roles/admin/general_content_developer';
$this->Section->id = // get section id from somewhere
$sectionOwner = $this->Section->field('owner_id');
if ($sectionOwner == $userId)
$aco = 'roles/admin/general_content_developer/content_developer';
return $this->Acl->check($aro, $aco, '*');
case 'edit':
...
}
}
I've written more about this on my blog:
http://jsalonen.com/2010/08/simpler-role-based-access-control-for-cakephp/
http://jsalonen.com/2010/10/role-based-acl-in-cakephp/
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
