CakePHP ACL and other challenges

Written by James McDonald

June 7, 2015

If you have implemented ACL in CakePHP and then you add an action to your controller or create a new controller and actions you will get locked out when you try to access it (unless you have granted access further up the tree)

Firstly perform aco_sync using the AclExtras plugin ( this adds the new action to the aco table )

Console/cake AclExtras.AclExtras aco_sync

These are the Access Request Objects I have linked my users to the groups table so that the permissions are applied to the groups.

jmitsmbp01:mio jmcd$ Console/cake acl view aro

Welcome to CakePHP v2.6.3 Console
---------------------------------------------------------------
App : mio
Path: /Applications/AMPPS/www/cakephp-mio/mio/
---------------------------------------------------------------
Aro tree:
---------------------------------------------------------------
  [1] Administrators
  [2] Map Admins
  [3] Map Viewers
---------------------------------------------------------------

These are the Access Control Objects

jmitsmbp01:mio jmcd$ Console/cake acl view aco

Welcome to CakePHP v2.6.3 Console
---------------------------------------------------------------
App : mio
Path: /Applications/AMPPS/www/cakephp-mio/mio/
---------------------------------------------------------------
Aco tree:
---------------------------------------------------------------
  [1] controllers
    [2] Addresses <=== This is a Controller
      [3] deleted <== These are the actions
      [4] import
      [5] export
      [6] update_enc
    .... # snippage
    [88] Upload
    [95] Menus
      [96] index
      [97] move_up
      [98] move_down
      [99] build_menu
      [100] view
      [101] add
      [102] edit
      [103] delete
    [104] DebugKit
      [105] ToolbarAccess
        [106] history_state
        [107] sql_explain
---------------------------------------------------------------

In order for a Access Request Object to get access to an Access Control Object

The aros table

mysql> select * from aros;
+----+-----------+-------+-------------+----------------+------+------+
| id | parent_id | model | foreign_key | alias          | lft  | rght |
+----+-----------+-------+-------------+----------------+------+------+
|  1 |      NULL | Group |           4 | Administrators |    1 |    2 |
|  2 |      NULL | Group |           5 | Map Admin      |    3 |    4 |
|  3 |      NULL | Group |           6 | Map Viewers    |    5 |    6 |
+----+-----------+-------+-------------+----------------+------+------+

Part of the acos table

mysql> select * from acos LIMIT 15;
+----+-----------+-------+-------------+-------------+------+------+
| id | parent_id | model | foreign_key | alias       | lft  | rght |
+----+-----------+-------+-------------+-------------+------+------+
|  1 |      NULL | NULL  |        NULL | controllers |    1 |  208 |
|  2 |         1 | NULL  |        NULL | Addresses   |    2 |   21 |
|  3 |         2 | NULL  |        NULL | deleted     |    3 |    4 |
|  4 |         2 | NULL  |        NULL | import      |    5 |    6 |
|  5 |         2 | NULL  |        NULL | export      |    7 |    8 |
|  6 |         2 | NULL  |        NULL | update_enc  |    9 |   10 |
|  7 |         2 | NULL  |        NULL | index       |   11 |   12 |
|  8 |         2 | NULL  |        NULL | view        |   13 |   14 |
|  9 |         2 | NULL  |        NULL | add         |   15 |   16 |
| 10 |         2 | NULL  |        NULL | edit        |   17 |   18 |
| 11 |         2 | NULL  |        NULL | delete      |   19 |   20 |
| 12 |         1 | NULL  |        NULL | AssignedTos |   22 |   33 |
| 13 |        12 | NULL  |        NULL | index       |   23 |   24 |
| 14 |        12 | NULL  |        NULL | view        |   25 |   26 |
| 15 |        12 | NULL  |        NULL | add         |   27 |   28 |
+----+-----------+-------+-------------+-------------+------+------+
15 rows in set (0.00 sec)

Now here is the section I’m putting in so in 12 months time I can check and grant permissions in the future.

jmitsmbp01:mio jmcd$ Console/cake acl check "Map Viewers" controllers/Menus/index

Welcome to CakePHP v2.6.3 Console
---------------------------------------------------------------
App : mio
Path: /Applications/AMPPS/www/cakephp-mio/mio/
---------------------------------------------------------------
Map Viewers is not allowed.

jmitsmbp01:mio jmcd$ Console/cake acl check "Map Viewers" controllers/Maps/view_maps

Welcome to CakePHP v2.6.3 Console
---------------------------------------------------------------
App : mio
Path: /Applications/AMPPS/www/cakephp-mio/mio/
---------------------------------------------------------------
Map Viewers is allowed.

Granting access

jmitsmbp01:mio jmcd$ Console/cake acl grant "Map Admin" controllers/Menus/build_menu

Welcome to CakePHP v2.6.3 Console
---------------------------------------------------------------
App : mio
Path: /Applications/AMPPS/www/cakephp-mio/mio/
---------------------------------------------------------------
Permission granted.
You can specify the Model foreign key combination for the aro e.g.
Console/cake acl check Group.6 controllers/Menus/build_menu

 

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

You May Also Like…

How to Research a CPU Upgrade

How to Research a CPU Upgrade

Upgrade Time! Doing a lot of VMWare Workstation virtualization to create labs for self-study and training. Finding...