Home/ Questions/Q 9224879
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-18T04:26:16+00:00

I have the following situation: multiple views use a content editor that can upload

  • 0

I have the following situation: multiple views use a content editor that can upload files and retrieve a list of previous uploads via AJAX. I end up adding two actions to every controller for this. Instead, I want to have just one common single-purpose EditorController that handles the editor interactions for me.

The problem with this is access rights: I want the EditorController to check whether a request is coming from a valid source (that means a known action the current user has access to). In concrete terms, check that the request is coming from something like ‘/posts/edit/1’ and that this is an action I am allowed to use.

Can this be done? What is a better way to achieve the same result? I currently have the functionality already packaged into a component I reuse. But I still repeat myself adding the same two actions to all my controllers.

Edit: From the comment below I was pointed to http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html#restricting-cross-controller-communication. The thing I want to achieve is very similar to SecurityComponent::$allowedControllers and SecurityComponent::$allowedActions, except that I would rather not explicitly whitelist the allowed controllers or actions, but rather have the access right inherited from the caller.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Using the Security component might give you what you want;

    http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html

    [update]
    Although the security component checks if a form posted was a valid form, it does not check if the current user has permissions to access a controller/action.

    For this you’ll need to implement an authorisation system, in combination with access control. This can be a simple ‘access’ controll for certain actions (“is a user logged in?”), or a more granular aproach using access control lists (ACL).

    The cakephp manual has some examples for both. I’ll post some links:

    Authentication
    http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html

    Access Control Lists
    http://book.cakephp.org/2.0/en/core-libraries/components/access-control-lists.html

    And a tutorial on both
    http://book.cakephp.org/2.0/en/tutorials-and-examples/blog-auth-example/auth.html
    http://book.cakephp.org/2.0/en/tutorials-and-examples/simple-acl-controlled-application/simple-acl-controlled-application.html

    • 0