Minimalistic system of division of rights into groups in 5 minutes
Tired of ACL? Perhaps the easiest solution is to divide rights into groups. No ACL tables, no rights tree. But if you need to set the rights personally for each user, then this decision is definitely not for you.
We only have 5 minutes, so let's get started right away.
Create or modify database tables with users and groups, so that they look like this:
Then we create several groups and users. Do not forget to create the group "Administrators"
')
Next, create classes of user and group models.
And add the following code to app_controller.php :
Add the following lines to users_controller.php :
Well, actually, that's all. Now, in order to specify access rights, you need to add $ permissions for any controller as we did in users_controller
When a user logs in, we add the name of his group to the Auth session. After when we call the controller method, the Auth component calls our isAuthorized function and if it returns true, the user gets access, and if it returns false, it denies it. If the user is in the "Administrators" group, then he always gets access. The isAuthorized function checks the $ permissions array specified in each controller using the name of the current action as the key and if the user group is in the array using this key (well, or instead of an array, there is a '*' - that is, everyone) then the user is allowed access.
Note: It is understood that you are still authorized, even if the access level is '*'. You can allow unauthorized users to log in using the Auth-> allow method
Note: We did not define access to users / login because Auth allows access to it by default.
Suppose we want to allow the Moderators group to delete users. Add the following code to users_controller.php :
But after all, users who are not logged in will not be able to register. Add to users_controller.php :
I hope this decision helped you. This is an extremely simple solution for dividing rights into groups, but of course it has its drawbacks. For example, you cannot allow a user to change an article only if he created it. Well, at least without changing the above code. But I will leave it for you.
We only have 5 minutes, so let's get started right away.
Create or modify database tables with users and groups, so that they look like this:
users
id - primary
username - unique
password
group_id
groups
id - primary
name - uniqueThen we create several groups and users. Do not forget to create the group "Administrators"
')
Next, create classes of user and group models.
<?php
class User extends AppModel {
var $name = 'User' ;
var $displayField = 'username' ;
var $belongsTo = array (
'Group' => array (
'className' => 'Group' ,
'foreignKey' => 'group_id'
)
) ;
}
?><?php
class Group extends AppModel {
var $name = 'Group' ;
var $displayField = 'name' ;
var $hasMany = array (
'User' => array (
'className' => 'User' ,
'foreignKey' => 'group_id' ,
'dependent' => false
)
) ;
}
?>And add the following code to app_controller.php :
<?php
class AppController extends Controller {
var $components = array ( 'Auth' ) ;
var $permissions = array ( ) ;
function beforeFilter ( ) {
$this -> Auth -> fields = array (
'username' => 'username' , //
'password' => 'password' //
) ;
$this -> Auth -> authorize = 'controller' ;
$this -> Auth -> autoRedirect = false ;
$this -> Auth -> loginAction = array ( 'controller' => 'users' , 'action' => 'login' ) ;
$this -> Auth -> logoutRedirect = array ( 'controller' => 'users' , 'action' => 'login' ) ;
$this -> Auth -> loginRedirect = array ( 'controller' => 'users' , 'action' => 'welcome' ) ;
}
function isAuthorized ( ) {
if ( $this -> Auth -> user ( 'group' ) == '' ) return true ; // "" ,
if ( ! empty ( $this -> permissions [ $this -> action ] ) ) {
if ( $this -> permissions [ $this -> action ] == '*' ) return true ;
if ( in_array ( $this -> Auth -> user ( 'group' ) , $this -> permissions [ $this -> action ] ) ) return true ;
}
return false ;
}
}
?>Add the following lines to users_controller.php :
<?php
class UsersController extends AppController {
var $name = 'Users' ;
var $helpers = array ( 'Html' , 'Form' ) ;
var $permissions = array (
'logout' => '*' ,
'welcome' => '*'
) ;
function welcome ( ) {
}
function login ( ) {
if ( $this -> Auth -> user ( ) ) {
$this -> Session -> write ( 'Auth.User.group' , $this -> User -> Group -> field ( 'name' , array ( 'id' => $this -> Auth -> user ( 'group_id' ) ) ) ) ;
$this -> redirect ( $this -> Auth -> redirect ( ) ) ;
}
}
function logout ( ) {
$this -> redirect ( $this -> Auth -> logout ( ) ) ;
}
// , add, edit, delete
?>Well, actually, that's all. Now, in order to specify access rights, you need to add $ permissions for any controller as we did in users_controller
How it works:
When a user logs in, we add the name of his group to the Auth session. After when we call the controller method, the Auth component calls our isAuthorized function and if it returns true, the user gets access, and if it returns false, it denies it. If the user is in the "Administrators" group, then he always gets access. The isAuthorized function checks the $ permissions array specified in each controller using the name of the current action as the key and if the user group is in the array using this key (well, or instead of an array, there is a '*' - that is, everyone) then the user is allowed access.
Note: It is understood that you are still authorized, even if the access level is '*'. You can allow unauthorized users to log in using the Auth-> allow method
Note: We did not define access to users / login because Auth allows access to it by default.
Example:
Suppose we want to allow the Moderators group to delete users. Add the following code to users_controller.php :
var $permissions = array (
'logout' => '*' ,
'welcome' => '*'
'delete' => array ( '' )
) ;But after all, users who are not logged in will not be able to register. Add to users_controller.php :
function beforeFilter ( ) {
$this -> Auth -> allow ( 'signup' ) ;
parent :: beforeFilter ( ) ;
}I hope this decision helped you. This is an extremely simple solution for dividing rights into groups, but of course it has its drawbacks. For example, you cannot allow a user to change an article only if he created it. Well, at least without changing the above code. But I will leave it for you.
Source: https://habr.com/ru/post/69182/
All Articles