Cakephp ACL Component

2
votes

I am using cakephp ACL component to make site secure but the problem is when i am trying to deny a particular action for eg.cake acl deny Group.3 Notes 'delete' , it denies all the action of the controller for that group.The aros_acos table is as follows---- id aro_id aco_id _create _read _update _delete 1 1 1 1 1 1 1 2 2 10 1 1 1 1 3 3 10 1 1 1 -1 In the above table, the third row aro_id points to Group 3 and aco_id points to Notes controller.

What might be the problem.

2
cakephp
Edit your post properly, please. It is difficult to understand what the line of numbers means. - bancer

2 Answers

1
votes

I don't have access to my implementations at the moment, so this is from memory:

The crud settings in the acos_aros table don't map onto or control access to methods/functions/actions as such. It is the actual row in the table that does that. There will be a row for every permutation of Aro -> Aco that you have defined - they do not necessarily exist by default.

Hence the entry (row) for Administrators:AdminUser_1 => Posts::delete will be a bunch of 1s, 0s or -1s. Set all four numbers to 1 for access or -1 for deny.

I made this easier by building a (huge) matrix of checkboxes for each group, controller & action.

To summarise this, to turn on delete for a user:

  1. find the corresponding row in the acos_aros table
  2. Set all four _create, _read, _update, _delete to 1

e.g.

(3087, 1, 1314, '1', '1', '1', '1'), // allow

(3086, 1, 1313, '-1', '-1', '-1', '-1') // deny
0
votes

Perhaps your database is corrupted since last changes.

I would recommend you to fix the tables, remember, this are hasMany relations plus TreeBehaviour, if the action kept out from the controller node for any reason would explain that behaviour.

Luckily, there is someone that thought about this and developed the ACL Manager plugin that allows you to fix this using the console.

https://github.com/FMCorz/AclManager

Download the plugin to your plugins folder. Load the plugin in your bootstrap if you are not loading all already. Login to you server and use the console to execute any of the following command:

./Console/cake AclExtras.AclExtras aco_sync

You can get a complete guide for all available commands like this:

./Console/cake AclExtras.AclExtras -h
./Console/cake AclExtras.AclExtras aco_sync -h

Any time, if you can not access to the APP, add Controller to the authorize method in your AppController and then: $this->Auth->allow() so any one with valid auth is valid.

Example, just acl check: 

$this->Auth->authorize = array(
     'Actions' => array('actionPath' => 'controllers')
);

Example Controller and ACL check:

$this->Auth->authorize = array(
     'Controller',
     'Actions' => array('actionPath' => 'controllers')
);

Using the second option, you can anytime include $this->Auth->allow() in your controller's beforeFilter to allow access who you want.