Home/ Questions/Q 6189029
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T02:20:18+00:00

At the moment I use Auth Component for users to login / logout –

  • 0

At the moment I use Auth Component for users to login / logout – ACL is defined to sort between user groups (Guests, Users, Admins) – with obvious restrictions; Admin being able to access everything, the user can only access edit in the users controller and the guest being able to see just the display / index / view etc etc.

Now to prevent users from editing another user – I have a function called isOwner() which essentially checks if you are trying to edit your own profile; and also checks if it is an admin trying to edit. If the user is the owner of the content they’re trying to edit, then it allows it otherwise it just redirects with a flash message.

Having read through http://book.cakephp.org/view/1245/Defining-Permissions-Cake-s-Database-ACL – I wondered if it was possible to define this in the ACL?

Something along the lines of:

$this->Acl->allow(array('model' => 'User', 'foreign_key' => $id), 'Users', 'edit', $id)

Though I haven’t dug deep enough and I’m assuming I’d have to make some sort of beforeSave() with the above line for each new user registered to be allowed to edit his profile.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    [ i’ve decided to post this as an answer cause it contains code examples ]

    You could create a component (or a function) and use the beforeFilter() callback in the app_controller, that way you wont need to manually add the function to all controllers.

    Also you could use multiple prefixes for the actions (see Routing.prefixes in the core), it will make it easier to control the access. Something like:

    [app_controller.php]

    function beforeFilter() {
    if(isset($this->params['prefix']) && $this->params['prefix'] == 'admin'){
         if(!isAdmin() || !isOwner())
             $this->cakeError('error404');
    }
}

    [users_controller.php]

      function admin_edit($id = null){
        ... // edit as usual
    }

    In a LAMP stack your bottleneck is usually at the database

    my problem with cake is the number of queries it makes. Once i saw that my “contact” page that made 21 queries only to retrieve the data structure, and the permissions for this public page.

    The only way to justify the use of ACL for accessing data is when the permissions are dynamic, i.e. “user#29 can edit user#12 because the Admin decided it in the backoffice“. But if you have static rules for accessing the data (like “users can only edit their own info and admins can edit everything“) its kinda useless to perform queries when you already know the answers, because this rules won’t change in time.

    so it all depends on your app.. Finally, one last thought, if you’re still planing to make more queries =P you could set the authorize method of the Auth component. But using the ACL Component for this, seems to me like a bad idea

    Cheers!

    • 0