Search code examples
cakephppermissionsauthorizationcakephp-1.3row-level-security

How to get permissions in cakePHP

First, sorry for my language skills, I am not used to writing in English. ;)
I'm trying to develop my first cakePHP application.

What I'm trying to do:

  • Users are in groups and groups have access to different locations.
  • Users can add reservations for this locations.

So my main problem is to find the best way to get the permissions of the user:

  • The user should only see the locations on which he has access.
  • If a user tries to add a reservation for a location, I have to check his permission for this location.
  • etc.

I also have moderators and admins, but I think this is a similar problem.

So, how can I do this properly? The ACL doesn't seem to be the right way - in most tutorials it controls the access to actions, not to db-rows.

What my Database looks like:
I have a user table and use the AuthComponent to manage the authentication. This works fine.

CREATE TABLE IF NOT EXISTS `users` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `email` varchar(64) NOT NULL,
  `password` varchar(64) NOT NULL,
  `enabled` tinyint(1) NOT NULL,
  `created` datetime NOT NULL,
  `modified` datetime NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `email` (`email`)
)

I have a groups table for usergroups.

CREATE TABLE IF NOT EXISTS `groups` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `name` varchar(64) NOT NULL,
  `created` datetime NOT NULL,
  `modified` datetime NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `name` (`name`)
)


CREATE TABLE IF NOT EXISTS `groups_users` (
  `group_id` int(11) NOT NULL,
  `user_id` int(11) NOT NULL,
  UNIQUE KEY `group_id` (`group_id`,`user_id`)
)

And I have my locations.

CREATE TABLE IF NOT EXISTS `locations` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `name` varchar(64) NOT NULL,
  `adress` text NOT NULL,
  `description` text,
  `created` datetime DEFAULT NULL,
  `modified` datetime DEFAULT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `name` (`name`)
)

The table contains the permissions, which group has access to which location.

CREATE TABLE IF NOT EXISTS `groups_locations` (
  `group_id` int(11) NOT NULL,
  `location_id` int(11) NOT NULL,
  UNIQUE KEY `group_id` (`group_id`,`location_id`)
)

Of course the reservations table:

CREATE TABLE IF NOT EXISTS `reservations` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `location_id` int(11) NOT NULL,
  `start` date NOT NULL,
  `end` date NOT NULL,
  `user_id` int(11) NOT NULL,
  `created` datetime DEFAULT NULL,
  `modified` datetime DEFAULT NULL,
  PRIMARY KEY (`id`)
)

THX

Solution

  • Maybe I have a solution - I could use some feedback:

    After the user logged in, I save the permissions in his Session-Variables:

        function login() {
        if($user = $this->Auth->user()) {       
            $this->User->unbindModel(array(
                    'hasMany' => array('Reservation'),
            ));
            $user = $this->User->find('first', array('conditions' => array('id' => $user['User']['id']), 'recursive' => 2));
            $this->Session->write('Auth.User.Group', $user['Group']);
    }

    I'm not sure how secure this solution is and permission changes only affects after logout, but it seems to work fine.