Cakephp 2.0行/记录级Acl [英] Cakephp 2.0 row/record-level Acl
问题描述
我正在弄乱cakephp 2.0的访问列表,到目前为止,
我已经按照文档创建了一个非常简单的示例。
我已经设置了设置用户表和最重要的功能,例如索引,添加,登录ecc。
我还创建了一个 houses表,其中包含不同的内容(houses)。 / p>
然后我以Crud模式结合acl组件设置了auth,
包括aco和aro树。
到目前为止,一切正常,到目前为止,我可以为每个用户允许或拒绝单个操作。
但是,我想要进一步的访问控制,例如,用户只能管理特定的房屋。
因此,我为每个房屋设置了一个自动售票员,仅允许用户对房屋进行读取访问,并仅允许对所需房屋进行更新访问。
但这不起作用!不管我做什么。.我无法访问编辑操作。
这是我的树木:
Aco:
[1]房屋
[5]房屋.1
[6] House.2
[2]用户
Aro:
[1]超级管理员
[4] User.1
[1]管理员
[5] User.2
[7] User.4
[3]客户
[6] User.3
最后是aros_acos表:
id aro_id aco_id _create _read _update _delete
4 1 1 1 1 1 1
5 1 2 1 1 1 1 1
6 2 1 1 1 1 1
7 3 1 0 1 0 0
8 7 1 -1 1 1 -1
9 7 5 1 1 1 1
事实是,如果我尝试使用以下方法进行快速检查:
var_dump($ this-> Acl-> check(
array('model'=>'User',
'foreign_key'=> 4),
array('model '=>'House',
'foreign_key'=> 1),
'update'));
返回真实值!
奇怪... 难道我做错了什么?有什么方法可以像样调试acl组件(包含正在检查该组件的acos和aros的信息,请参见ecc。)?
根据您的aro_aco表,看来这是正确的行为。 User.4属于具有更新权限的admins组。在第8行中将其设置为true。在第8行中有一个专门用于User.4的规则,但是您已在该行中向该用户专门授予了更新权限。看起来ACL规则完全按照您设置的规则运行。为了防止User.4使用更新权限,请在cake命令行上运行此命令以更新User.4的规则:
cake acl拒绝User.4 House.1更新
然后在运行检查时应返回false :
cake acl check User.4 House.1更新
编辑
我将根据剩余评论尝试对此进行修改下面。我认为您可能仍会错误地设置规则。我将使用命令行示例(因为无论是键入还是在实践中都可以使用),但是您可以轻松编写PHP来做到这一点。下面的示例也将重点放在管理员上,但是您也可以将它们用于超级管理员和用户组。
首先,拒绝所有操作,因为我们要分别授予权限:
cake acl den admin房屋全部
然后,授予管理员只读权限,以便他们都可以阅读房屋:
cake acl grant admin房屋读取
最后,将更新权限授予获得更新权限的特定用户:
cake acl grant User.4房屋.1更新
这些权限应允许User.4读取和更新房屋记录。请记住,如果您已经创建了拒绝或允许User.4记录,则此示例可能无法正常工作。您可能想要截断aco_aro表并重新开始,因为此时它很小。
如果所有acl检查均有效,但行为仍然不正确,则可能ACL组件如何授权操作的问题。您可能需要在$ beforeFilter或$ components数组中调整这些设置。
i am messing around with the cakephp 2.0's access lists, so far i created a very simple example following the documentation.
I have set up a users table and the most important functions like index, add, login ecc. and is related to a groups table (every user belongs to a group).
I've also created a "houses" table wich contain different contents (houses).
Then i've set up auth in combination with the acl-component in crud mode, including the aco and aro tree.
So far so good, everything is working so far, i can allow or deny single actions for every user. But, i want further access control, that for instance a user can manage only a specific house. So i've set up an aco for every house, allowed only read-access to the houses to the user and allowed update access only for the desired house. But it won't work! No matter what i do.. i don't get access to the edit action. Here my trees:
Aco:
[1] Houses
[5] House.1
[6] House.2
[2] Users
Aro:
[1] superadmin
[4] User.1
[1] admin
[5] User.2
[7] User.4
[3] customer
[6] User.3
And finally the aros_acos table:
id aro_id aco_id _create _read _update _delete
4 1 1 1 1 1 1
5 1 2 1 1 1 1
6 2 1 1 1 1 1
7 3 1 0 1 0 0
8 7 1 -1 1 1 -1
9 7 5 1 1 1 1
Fact is, that, if i try to do a quick check with:
var_dump($this->Acl->check(
array('model' => 'User',
'foreign_key' => 4),
array('model' => 'House',
'foreign_key' => 1),
'update'));
It gives back true!
Strange... Am i doing something wrong? Is there any way to decently debug the acl component (with information wich acos and aros the component is checking, seeing ecc.)?
Based on your aro_aco table, it looks like this is correct behavior. User.4 belongs to the admins group which has update permission. set to true in row 8. You have a rule in row 8 specifically for User.4, but you have granted update permission specifically to that user in that row. It appears that the ACL rules are working exactly as you have them setup. To prevent User.4 from using the update permission, run this at the cake command line to update your rules for User.4:
cake acl deny User.4 House.1 update
It should then return false when you run a check:
cake acl check User.4 House.1 update
EDIT
I'm going to attempt to revise this based on comments left below. I think that you may still be setting up the rules incorrectly. I am going to use the command line examples (because it's either to both type and to do in practice) but you can just as easily write the PHP to do this. My examples below also focus on admin, but you could use for the superadmin and users groups too.
First, deny everything to admins since we want to grant permissions individually:
cake acl deny admin Houses all
Then, grant the read only permission to admin so they can all read Houses:
cake acl grant admin Houses read
Lastly, grant the update permission to the specific user that gets update privileges:
cake acl grant User.4 Houses.1 update
These permissions should allow User.4 to read and update the House record. Keep in mind that if you have already created deny or allow records for User.4 then this example may not work. You may want to truncate your aco_aro table and start over since it's small at this point.
If all acl checks work, but the behavior is still incorrect, then you may have an issue with how the ACL component is authorizing an action. You may have to tweak those settings in $beforeFilter or your $components array.
这篇关于Cakephp 2.0行/记录级Acl的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
