How to get permissions in cakePHP

Question

First, sorry for my language skills, I am not used to writing in English. ;)
I'm trying to develop my first cakePHP application.

What I'm trying to do:

Users are in groups and groups have access to different locations.
Users can add reservations for this locations.

So my main problem is to find the best way to get the permissions of the user:

The user should only see the locations on which he has access.
If a user tries to add a reservation for a location, I have to check his permission for this location.
etc.

I also have moderators and admins, but I think this is a similar problem.

So, how can I do this properly? The ACL doesn't seem to be the right way - in most tutorials it controls the access to actions, not to db-rows.

What my Database looks like:
I have a user table and use the AuthComponent to manage the authentication. This works fine.

CREATE TABLE IF NOT EXISTS `users` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `email` varchar(64) NOT NULL,
  `password` varchar(64) NOT NULL,
  `enabled` tinyint(1) NOT NULL,
  `created` datetime NOT NULL,
  `modified` datetime NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `email` (`email`)
)

I have a groups table for usergroups.

CREATE TABLE IF NOT EXISTS `groups` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `name` varchar(64) NOT NULL,
  `created` datetime NOT NULL,
  `modified` datetime NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `name` (`name`)
)


CREATE TABLE IF NOT EXISTS `groups_users` (
  `group_id` int(11) NOT NULL,
  `user_id` int(11) NOT NULL,
  UNIQUE KEY `group_id` (`group_id`,`user_id`)
)

And I have my locations.

CREATE TABLE IF NOT EXISTS `locations` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `name` varchar(64) NOT NULL,
  `adress` text NOT NULL,
  `description` text,
  `created` datetime DEFAULT NULL,
  `modified` datetime DEFAULT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `name` (`name`)
)

The table contains the permissions, which group has access to which location.

CREATE TABLE IF NOT EXISTS `groups_locations` (
  `group_id` int(11) NOT NULL,
  `location_id` int(11) NOT NULL,
  UNIQUE KEY `group_id` (`group_id`,`location_id`)
)

Of course the reservations table:

CREATE TABLE IF NOT EXISTS `reservations` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `location_id` int(11) NOT NULL,
  `start` date NOT NULL,
  `end` date NOT NULL,
  `user_id` int(11) NOT NULL,
  `created` datetime DEFAULT NULL,
  `modified` datetime DEFAULT NULL,
  PRIMARY KEY (`id`)
)

THX

Tim Joyce · Answer 1 · 2011-03-15T19:01:37.213

Are you sure that you need the groups_users table? Wouldn't each user only be able to belong to one group?

You will be able to accomplish this much easier if you just bring the group id into the users table as a foreign key

    CREATE TABLE IF NOT EXISTS `users` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `email` varchar(64) NOT NULL,
  `password` varchar(64) NOT NULL,
  `enabled` tinyint(1) NOT NULL,
  `created` datetime NOT NULL,
  `modified` datetime NOT NULL,
  `group_id` int(11) NOT NULLL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `email` (`email`)
)

Then you can send to the view whether or not the user should be able to see certain information...

in your app_controller.php add the following

function beforeFilter(){
    $this->set('users_role', $this->Auth->user('group_id'));
}

Now you will have a variable accessable by your view which will be $users_role... then you can perform the following in your view.

<?php if($users_role == 1 ): ?>
    //show records available to admins
<?php elseif ($users_role == 2): ?>
    //show records available to logged in users
<?php else : ?>
    //show records for all users
<?php endif; ?>

Yes unfortunately I need the `groups_users` table. – Telokar Mar 16 '11 at 12:33 — Telokar, Mar 16 '11 at 12:33

score 0 · Accepted Answer · answered Mar 16 '11 at 12:39

0

Maybe I have a solution - I could use some feedback:

After the user logged in, I save the permissions in his Session-Variables:

    function login() {
        if($user = $this->Auth->user()) {       
            $this->User->unbindModel(array(
                    'hasMany' => array('Reservation'),
            ));
            $user = $this->User->find('first', array('conditions' => array('id' => $user['User']['id']), 'recursive' => 2));
            $this->Session->write('Auth.User.Group', $user['Group']);
    }

I'm not sure how secure this solution is and permission changes only affects after logout, but it seems to work fine.

answered Mar 16 '11 at 12:39

Telokar

33
1
8

It's still a bit unclear. What are you trying to restrict? certain parts of a view file? or will you have seperate view files based on the user->group that logs in? – Tim Joyce Mar 16 '11 at 14:48
I'm trying to restrict access to actions depending on their parameters. For example: Group A has access to location 1 and 3 but not to location 2. If a user in group A tries to access domain.tld/location/view/1 he get access to it. If he tries to access domain.tld/location/view/2 the access should be denied. Same procedure for domain.tld/reservation/add/location:2. So my main problem is (or was) how to access the user permission from different controllers without loading unnecessary db-tables. – Telokar Mar 16 '11 at 15:13
So setting the variable in your app_controller and sending it to the view should work then... – Tim Joyce Mar 16 '11 at 16:35

How to get permissions in cakePHP

2 Answers2