Assigning Permissions :: Defining Permissions: Cake's Database ACL :: Access Control Lists :: Core Components :: The Manual

5.1.3.3 Assigning Permissions

After creating our ACOs and AROs, we can finally assign permissions between the two groups. This is done using Cake's core Acl component. Let's continue on with our example.

Here we'll work in the context of a controller action. We do that because permissions are managed by the Acl Component.

class SomethingsController extends AppController
{
	// You might want to place this in the AppController
	// instead, but here works great too.

	var $components = array('Acl');

}

class SomethingsController extends AppController
{
// You might want to place this in the AppController
// instead, but here works great too.
var $components = array('Acl');
}

Let's set up some basic permissions using the AclComponent in an action inside this controller.

function index()
{
	//Allow warriors complete access to weapons
	//Both these examples use the alias syntax
	$this->Acl->allow('warriors', 'Weapons');
	
	//Though the King may not want to let everyone
	//have unfettered access
	$this->Acl->deny('warriors/Legolas', 'Weapons', 'delete');
	$this->Acl->deny('warriors/Gimli',   'Weapons', 'delete');
	
	die(print_r('done', 1));
}

function index()
{
//Allow warriors complete access to weapons
//Both these examples use the alias syntax
$this->Acl->allow('warriors', 'Weapons');
//Though the King may not want to let everyone
//have unfettered access
$this->Acl->deny('warriors/Legolas', 'Weapons', 'delete');
$this->Acl->deny('warriors/Gimli', 'Weapons', 'delete');
die(print_r('done', 1));
}

The first call we make to the AclComponent allows any user under the 'warriors' ARO group full access to anything under the 'Weapons' ACO group. Here we're just addressing ACOs and AROs by their aliases.

Notice the usage of the third parameter? That's where we use those handy actions that are in-built for all Cake ACOs. The default options for that parameter are create, read, update, and delete but you can add a column in the aros_acos database table (prefixed with _ - for example _admin) and use it alongside the defaults.

The second set of calls is an attempt to make a more fine-grained permission decision. We want Aragorn to keep his full-access privileges, but deny other warriors in the group the ability to delete Weapons records. We're using the alias syntax to address the AROs above, but you might want to use the model/foriegn key syntax yourself. What we have above is equivalent to this:

// 6342 = Legolas
// 1564 = Gimli

$this->Acl->deny(array('model' => 'User', 'foreign_key' => 6342), 'Weapons', 'delete');
$this->Acl->deny(array('model' => 'User', 'foreign_key' => 1564), 'Weapons', 'delete');

// 6342 = Legolas
// 1564 = Gimli
$this->Acl->deny(array('model' => 'User', 'foreign_key' => 6342), 'Weapons', 'delete');
$this->Acl->deny(array('model' => 'User', 'foreign_key' => 1564), 'Weapons', 'delete');

Addressing a node using the alias syntax uses a slash-delimited string ('/users/employees/developers'). Addressing a node using model/foreign key syntax uses an array with two parameters: array('model' => 'User', 'foreign_key' => 8282).

The next section will help us validate our setup by using the AclComponent to check the permissions we've just set up.

« Creating Access Request Objects (AROs) and Access Control Objects (ACOs) | Checking Permissions: The ACL Component »

Welcome to the Cookbook

5.1.3.3 Assigning Permissions