 | Assigning permissions
Now Tor has a bunch of AROs representing users, and the stage is set to
create some ACOs representing products, grouped by dealer. It's time
to glue them together by defining some permissions.
How do permissions
work?
You are going to specifically define who has the rights to work with
the products. You will do this by explicitly allowing an ARO (in this
case, a user) full rights on an ACO (in this case, a product), and an
action. The actions can be read (meaning the user can view database
information), create (the user can insert information into the
database), update (the user can modify information), delete (the user
can delete information from the database), or *, which means the user
can perform all actions. Each action must be granted individually;
allowing delete does not imply allowing create or even view.
By default, once you check permissions for something, if there is no
defined permission, CakePHP assumes
DENY.
Defining policies
Defining permission policies is more than just writing and executing
code. You need to think about what your ACL is actually trying to
accomplish. Without a clear picture of what you are trying to protect
from whom, you will find yourself constantly redefining your
permissions.
Tor has users and products. For the purpose of this tutorial, you are
going allow the user who created the product full permissions to edit
and delete the product. Any user will be able to view the product
unless explicitly denied access.
Adding permission definition to
product add
Tor needs to know how to assign permissions when a product is created.
This can be accomplished by adding two lines to the controller. One
line adds view permissions for the users and another line adds full
permissions for the creating user. Granting permissions looks
something like this:
$this->Acl->allow(ARO, ACO, TYPE);.
If you do not specify a TYPE
(create, read,
update, or
delete), CakePHP will assume you are
granting full permission. Your new add
function in the products controller should look like Listing 16.
Listing 16. New add function in the products controller
function add() {
if (!empty($this->data)) {
$this->Product->create();
if ($this->Product->save($this->data)) {
$dealer = $this->Product->Dealer->read(null,
$this->data['Product']['dealer_id']);
$parent = $this->Acl->Aco->findByAlias(
$dealer['Dealer']['title']);
$alias = $this->Product->id.'-'.$this->data
['Product']['title'];
$aco = new Aco();
$aco->create();
$aco->save(array(
'alias' => $alias,
'model' => 'Product',
'foreign_key' => $this->Product->id,
'parent_id' => $parent['Aco']['id']
));
$this->Acl->allow('Users', $alias, 'read');
$this->Acl->allow($this->Session->read('user'), $alias);
$this->Session->setFlash(__('The Product has been saved', true));
$this->redirect(array('action'=>'index'));
} else {
$this->Session->setFlash(__('The Product could not be saved.
Please, try again.', true));
}
}
$dealers = $this->Product->Dealer->find('list');
$this->set(compact('dealers'));
}
|
OK — now you can try adding some products. Log in as
one of your users and adding a couple of products, just to see that
nothing got broken along the way. You can use the Cake Console to view
the ACOs you create when you add a new product. You're almost done.
You've defined your AROs, your ACOs, and you have assigned
permissions. Now Tor needs to check permissions when performing the
various product-related actions.
| |
