Archive for the ‘ACL’ Category

CakePHP Console ACL Help File

Sunday, March 22nd, 2009

Every now and then I want to view my help files in pretty, formatted HTML instead of plain text in a text editor or terminal window. Right now I’m working on setting up some Access Control Lists (ACL) in the CakePHP Console. ACL is a powerful, yet sometimes hard-to-grasp concept. I always figure that if I want a resource like this, there has to be someone else out there who does, so for your reference and mine, here it is. (By the way, to get to this from the console, simply type cake acl help.)

Usage: cake acl <command> <arg1> <arg2>...
———————————————–
Commands:

create aro|aco <parent> <node>
Creates a new ACL object <node> under the parent specified by <parent>, an id/alias.
The <parent> and <node> references can be in one of the following formats:

  • – <model>.<id> – The node will be bound to a specific record of the given model
  • - <alias> – The node will be given a string alias (or path, in the case of <parent>),

i.e. ‘John’.  When used with <parent>, this takes the form of an alias path,
i.e. <group>/<subgroup>/<parent>.
To add a node at the root level, enter ‘root’ or ‘/’ as the <parent> parameter.

delete aro|aco <node>
Deletes the ACL object with the given <node> reference (see ‘create’ for info on node references).

setParent aro|aco <node> <parent>
Moves the ACL object specified by <node> beneath the parent ACL object specified by <parent>.
To identify the node and parent, use the row id.

getPath aro|aco <node>
Returns the path to the ACL object specified by <node>. This command is useful in determining the inhertiance of permissions for a certain object in the tree.
For more detailed parameter usage info, see help for the ‘create’ command.

check <aro_id> <aco_id> [<aco_action>] or all
Use this command to check ACL permissions.
For more detailed parameter usage info, see help for the ‘create’ command.

grant <aro_id> <aco_id> [<aco_action>] or all
Use this command to grant ACL permissions. Once executed, the ARO specified (and its children, if any) will have ALLOW access to the specified ACO action (and the ACO’s children, if any). For more detailed parameter usage info, see help for the ‘create’ command.

deny <aro_id> <aco_id> [<aco_action>]or all
Use this command to deny ACL permissions. Once executed, the ARO specified (and its children, if any) will have DENY access to the specified ACO action (and the ACO’s children, if any). For more detailed parameter usage info, see help for the ‘create’ command.

inherit <aro_id> <aco_id> [<aco_action>]or all
Use this command to force a child ARO object to inherit its permissions settings from its parent. For more detailed parameter usage info, see help for the ‘create’ command.

view aro|aco [<node>]
The view command will return the ARO or ACO tree. The optional id/alias parameter allows you to return only a portion of the requested tree. For more detailed parameter usage info, see help for the ‘create’ command.

initdb
Uses this command : cake schema run create DbAcl

help [<command>]
Displays this help message, or a message on a specific command.

The ‘create’ help file

Usage: cake acl <command> <arg1> <arg2>…
———————————————–

  • Commands:
    • create aro|aco <parent> <node>
      • Creates a new ACL object <node> under the parent specified by <parent>, an id/alias. The <parent> and <node> references can be in one of the following formats:
        • - <model>.<id> – The node will be bound to a specific record of the given model
        • - <alias> – The node will be given a string alias (or path, in the case of <parent>), i.e. ‘John’.  When used with <parent>, this takes the form of an alias path, i.e. <group>/<subgroup>/<parent>. To add a node at the root level, enter ‘root’ or ‘/’ as the <parent> parameter.

Tags: ,
Posted in ACL, CakePHP, PHP, web development | No Comments »

And We’re Back!

Monday, September 22nd, 2008

I have been so incredibly busy the last few months that aside for 140 character Twitter updates, I haven’t been able to keep this blog updated with my exploits.

If you are still paying attention, I was complaining about ACL. After several attempts, I gave up using the built-in ACL component in CakePHP and just decided to keep things simple, use the Auth component with role-based access control. Problem solved.

The development of the application has progressed smoothly since getting over that hurdle.

In the meantime, I’ve been setting up my own virtual server for hosting websites for my freelance clients. That has been a learning experience in itself. I’ll post more about that as I formally launch that service.

I’m also way behind on podcasts for the Minneapoliscast podcast. I hope to resume that at a modest pace this fall.

More later as all of my respective projects get updates including SVN info on my CakePHP app.

Tags: ,
Posted in ACL, CakePHP, PHP | No Comments »

Wow. ACL is Hard

Friday, June 20th, 2008

That is Access Control Lists. I’ve been developing with CakePHP this spring and summer and it was all going very well until I actually needed to control access to the application. It’s not even that CakePHP falls short here. There are apparently tons of built-in tools for managing access. They’re just poorly documented and the community is relatively new so no one has built a complete plug in. If you’re looking for a solution like I was, I’m afraid I’m not going to give you the best answer here. I did find something that works, so read on. Especially if you’re learning ACL or Modified Preorder Tree Traversal Algorithm (MPTTA) for the first time.

Disclosure: I’m not formally trained as a programmer/developer. Everything I’ve learned, I’ve taught myself. So there are definitely some silos in my knowledge as I’ve learned things on the basis of necessity. I have, however, been developing in PHP for over six years. So it’s not all that bad.

So the learning curve for implementing ACL has been relatively steep for me. First, I had to get my head around the concept. The big picture is easy. What we’re after is a tree of access with ‘admin’ at the root and everything else branching off from that with diminishing access. That’s not hard to conceptualize. What is hard is putting that into practice.

I messed around with this for a long time before stumbling upon this tutorial about the Modified Preorder Tree Traversal Algorithm. Stop now. Read it. Come back.

Now you should understand the concepts that drive CakePHP’s ACL. Unfortunately here is also where we depart from using CakePHP’s tools. At least until a decent plug-in comes along that allows you to manage Access Request Objects (ARO) and Access Control Objects (ACO) via a good, web-based interface.

After many attempts with various solutions that are currently avaliable, I finally settled on Authake.

Pros:

  • Works in CakePHP 1.2
  • User, ARO & ACO adminstration is a snap
  • Access control works immediately without modifying anything you’ve built in your app.

Cons:

  • Installation requires you replace the entire CakePHP engine with Authake’s modified version. This will make upgrading CakePHP a lot harder.
  • The developer has abandoned it in favor of developing in RoR. No hope for future versions unless the community continues development. Personally, I’d prefer a plug-in like Jeff Loiselle’s ACL Management Plugin that I could just drop right into app/plugins without replacing the entire installation. (The issue I have with Jeff’s are all listed on his “Known Bugs” list. Namely, “does not show inherited permissions, does not show full path in finder & does not have crud fields”. Unfortunately, those are three very major elements of managing ACL.)

If you are reading this in the not so distant future and someone had developed a plugin that has an admin area like Authake’s but drops into app/plugins like Jeff’s plugin, please, please let me know.

Tags: , , ,
Posted in ACL, CakePHP, PHP, web development | No Comments »