0

I have the following situation: multiple views use a content editor that can upload files and retrieve a list of previous uploads via AJAX. I end up adding two actions to every controller for this. Instead, I want to have just one common single-purpose EditorController that handles the editor interactions for me.

The problem with this is access rights: I want the EditorController to check whether a request is coming from a valid source (that means a known action the current user has access to). In concrete terms, check that the request is coming from something like '/posts/edit/1' and that this is an action I am allowed to use.

Can this be done? What is a better way to achieve the same result? I currently have the functionality already packaged into a component I reuse. But I still repeat myself adding the same two actions to all my controllers.

Edit: From the comment below I was pointed to http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html#restricting-cross-controller-communication. The thing I want to achieve is very similar to SecurityComponent::$allowedControllers and SecurityComponent::$allowedActions, except that I would rather not explicitly whitelist the allowed controllers or actions, but rather have the access right inherited from the caller.

1 Answers1

1

Using the Security component might give you what you want;

http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html

[update] Although the security component checks if a form posted was a valid form, it does not check if the current user has permissions to access a controller/action.

For this you'll need to implement an authorisation system, in combination with access control. This can be a simple 'access' controll for certain actions ("is a user logged in?"), or a more granular aproach using access control lists (ACL).

The cakephp manual has some examples for both. I'll post some links:

Authentication http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html

Access Control Lists http://book.cakephp.org/2.0/en/core-libraries/components/access-control-lists.html

And a tutorial on both http://book.cakephp.org/2.0/en/tutorials-and-examples/blog-auth-example/auth.html http://book.cakephp.org/2.0/en/tutorials-and-examples/simple-acl-controlled-application/simple-acl-controlled-application.html

thaJeztah
  • 27,738
  • 9
  • 73
  • 92
  • Thank you for the link. The basic idea seems to be that of `SecurityComponent::$allowedControllers` and `SecurityComponent::$allowedActions`, but I would rather not specify each individual controller and action that has access. A basic "if the request comes from a good place, proceed" thing would be more suitable here. –  Feb 03 '13 at 00:38
  • You can add the code in the beforeFilter() action of your AppController, then it will be automatically inherited by all Controllers. But I'm really wondering if you need this. It sounds more like you'll proper authentication/access control in place. Then only logged-in users can perform an action. The security component can then be used to make sure the forms have not been tampered with, but access control takes care of the rest. I've added some information to my answer – thaJeztah Feb 03 '13 at 10:25
  • Thank you for the extensive reply. It seems that a mix of Security and ACL will do what I have in mind. –  Feb 03 '13 at 16:24
  • @nic Good luck on your project. Take your time and experiment with the various options, ACL can become quite complex, if you don't need all its options, the simpler authentication/access control may be enough for your application and you can always 'switch' to ACL in the future if requirements change – thaJeztah Feb 03 '13 at 16:27