More in this series: Cook up Web sites fast with CakePHP

In this tutorial:
Before you start
Tor, so far
Scaffolding
Using the Bake code generator
Access-control lists
Defining ACOs
Assigning permissions
Putting your ACLs to work
	Letting only users view products
	Letting only the product creator edit or delete a product
Filling in the gaps
Summary
Download
Resources
About the author
Rate this tutorial

developerWorks > Open source >

Cook up Web sites fast with CakePHP, Part 2: Bake bigger and better with CakePHP

	Page 8 of 14

Document options

		PDF - Fits A4 and Letter 852 KB (39 pages)
		Get Adobe® Reader®
		Sample code

My developerWorks needs you!

Connect to your technical community

Rate this tutorial

Help us improve this content

Putting your ACLs to work

You've laid all the pieces out, and it's time to put your ACLs to work. When you're done, any user will be allowed to view products in Tor, but only the user who created the product will be able to edit or delete it.

You are going to add a couple lines to each action in the products controller. These lines will check the user for access and permit or deny the action based on the permissions.

Letting only users view products

Start with the view action. Add a line to check access to the product, displaying a message if the action is not allowed.

Listing 17. Adding a line to check access to the product

                    
function view($id = null) {
if (!$id) {
  $this->Session->setFlash('Invalid Product.', true));
  $this->redirect(array('action'=>'index'));
}
$product = $this->Product->read(null, $id);
$alias = $id . '-' . $product['Product']['title'];
if ($this->Acl->check($this->Session->read('user'), $alias;
			    $id . '-' . $product['Product']['title'], 'read')) {
$this->set('product', $product);
} else {
   $this->Session->setFlash('Only registered users may view this product.');
   $this->redirect(array('action'=>'index'));
       }
}

Save the file, make sure you are logged out of Tor, and visit the products list at http://localhost/products. When you click on any of the products, you should get redirected to the User Registration page, as shown below.

Figure 12. Redirection

Now log in using any account and try it again. This time, you should be able to view the product, like what you see in Figure 13.

Figure 13. Viewing the product
Viewing the product

That tackles the first part of the permissions. Now you need to tell Tor to deny edit and delete access to anyone but the user who created the product.

Back to top

Letting only the product creator edit or delete a product

The process for controlling permissions is much the same for the edit and delete actions in the products controller.

Listing 18. The edit action

                    
    function edit($id = null) {  
        if (!$id && empty($this->data)) {
            $this->Session->setFlash(__('Invalid Product', true));
            $this->redirect(array('action'=>'index'));
        }
        $product = $this->Product->read(null, $id);
        $alias = $id.'-'.$product['Product']['title'];
        if ($this->Acl->check($this->Session->read('user'), 
$alias, 'update')) {
            if (!empty($this->data)) {
                if ($this->Product->save($this->data)) {
                    $this->Session->setFlash(__('The Product has been saved', 
true));
                    $this->redirect(array('action'=>'index'));
                } else {
                    $this->Session->setFlash(__('The Product could not be saved. 
Please, try again.', true));
                }
            }
            if (empty($this->data)) {
                $this->data = $this->Product->read(null, $id);
            }
        } else {
            $this->Session->setFlash('You cannot edit this product.'); 
            $this->redirect(array('action'=>'index'), null, true);
        }
        $dealers = $this->Product->Dealer->find('list');
        $this->set(compact('dealers'));
    }

For the delete controller, you should add a couple lines to delete the ACO for the product being deleted. Your delete action will look like Listing 19.

Listing 19. The delete action

                    
    function delete($id = null) {
        if (!$id) {
            $this->Session->setFlash(__('Invalid id for Product', true));
            $this->redirect(array('action'=>'index'));
        }
        $product = $this->Product->read(null, $id);
        $alias = $id.'-'.$product['Product']['title'];
        if ($this->Acl->check($this->Session->read('user'), 
$alias, 'delete')) {
            if ($this->Product->del($id)) {
                $aco = $this->Acl->Aco->findByAlias($alias);
                $this->Acl->Aco->delete($aco['Aco']['id']);
                $this->Session->setFlash(__('Product deleted', true));
                $this->redirect(array('action'=>'index'));
            }
        } else {
            $this->Session->setFlash('You cannot delete this product.');
            $this->redirect(array('action'=>'index'));
        }
    }

Save the products controller and try it out. Start by logging out at http://localhost/users/logout, then go back to your products list at http://localhost/products/ and try to edit or delete a product. You should get directed back to the products list with a message.

Figure 14. Failed edit or delete
Failed edit or delete

Now log in as the user dentarthurdent and add a product. Try to edit the product. Then delete it. You should have no trouble.

Figure 15. Successful edit or delete
Successful edit or delete

Log out again at http://localhost/users/logout and log in as a different user. Then try to edit or delete another product, and you will find you are unable to take any meaningful action. While you're here, create a new product, then try to modify or delete the product as another user.

Back to top

	Page 8 of 14