CREATE
ACL IN CAKEPHP 3
Create
a application which has not any acl implemented previously and i will make it
to acl enabled mainly we will hack AROS table.
Follow
the stapes:
1) Create cakephp
application by composer
composer create-project --prefer-dist
cakephp/app acl_existing_app
2) create tables
CREATE TABLE users (
id INT(11) NOT NULL AUTO_INCREMENT PRIMARY
KEY,
username VARCHAR(255) NOT NULL UNIQUE,
password CHAR(60) NOT NULL,
group_id INT(11) NOT NULL,
created DATETIME,
modified DATETIME
);
CREATE TABLE groups (
id INT(11) NOT NULL AUTO_INCREMENT PRIMARY
KEY,
name VARCHAR(100) NOT NULL,
created DATETIME,
modified DATETIME
);
CREATE TABLE posts (
id INT(11) NOT NULL AUTO_INCREMENT PRIMARY
KEY,
user_id INT(11) NOT NULL,
title VARCHAR(255) NOT NULL,
body TEXT,
created DATETIME,
modified DATETIME
);
CREATE TABLE widgets (
id INT(11) NOT NULL AUTO_INCREMENT PRIMARY
KEY,
name VARCHAR(100) NOT NULL,
part_no VARCHAR(12),
quantity INT(11)
);
INSERT INTO `groups` (`id`, `name`, `created`,
`modified`) VALUES (NULL, 'admin', CURRENT_DATE(), NULL), (NULL, 'manager',
CURRENT_DATE(), NULL), (NULL, 'user', CURRENT_DATE(), NULL);
3) create back the application:
bin/cake bake all groups
bin/cake bake all users
bin/cake bake all posts
bin/cake bake all widgets
5) create ACL tables
structure: run this
bin/cake
Migrations.migrations migrate -p Aclit
will create 4 tables
2.1) AROS (Access Request
Object): it has roles
and users details means which user has which roll/group
2.2) ACOS(Access Control Object): its has all
controllers and actions listing which will accessed by aros.
2.3) aros_acos:
which aros has permission to access which acos means which user can access
which controller and actions here we can set permissions.
2.4) acl_phinxlog: acl log table.
3)create
users or users already exists:
in
UsersCotroller.php to add new users
public
function initialize(){
parent::initialize();
$this->Auth->allow();
}
Now add
3 users with group/roles admin,manager,user
localhost/acl-example2/users/add
6)
create aros table by hack:
Do this manually
without console by hand to crate nodes
4.1) add
groups/roles
INSERT
INTO `aros` (`id`, `parent_id`, `model`, `foreign_key`, `alias`, `lft`, `rght`)
VALUES (NULL, NULL, 'Groups', '1', NULL, '1', '4'), (NULL, NULL, 'Groups', '2',
NULL, '5', '8'), (NULL, NULL, 'Groups', '3', NULL, '9', '12';
4.2) add
users
INSERT
INTO `aros` (`id`, `parent_id`, `model`, `foreign_key`, `alias`, `lft`, `rght`)
VALUES (NULL, 1, 'Users', '1', NULL, '2', '3'), (NULL, 2, 'Users', '2', NULL,
'6', '7'), (NULL, 3, 'Users', '3', NULL, '10', '11');
There is
a pattern in lft and rght value in point 4.1 and 4.2 query learn by following
image:
For row
one middle value between lft and rght(1,4)is 2 and 3 uses this value for second
in query point 4.2)next value after(1,4)4 is 5 put 5 in groups second row and
so on.
7) Creating aros_acos table:
bin/cake acl_extras aco_sync
It will enter all controllers and actions
in acos table automatically. you can also add more controllers and actions in
future by running this command again.
8) Remove Temporary Auth Overrides:
Remove
the temporary auth overrides by removing the
beforeFilter function or the
call to $this->Auth->allow(); in src/Controllers/UsersController.php
9) Model Setup(Node
setup):
So that in future you add new group and
user it will automatically added in AROS table
Acting as a requester
·
Add the requester behavior to GroupsTable
and UsersTable
·
Add $this->addBehavior('Acl.Acl',
['type' => 'requester']); to the initialize function in the files
src/Model/Table/UsersTable.php and src/Model/Table/GroupsTable.php
Implement parentNode function in Group
entity
Add the following implementation of
parentNode to the file src/Model/Entity/Group.php:
public function parentNode()
{
return
null;
}
Implement parentNode function in User
entity
Add the following implementation of
parentNode to the file src/Model/Entity/User.php:
public function parentNode()
{
if
(!$this->id) {
return
null;
}
if
(isset($this->group_id)) {
$groupId
= $this->group_id;
}
else {
$Users
= TableRegistry::get('Users');
$user
= $Users->find('all', ['fields' => ['group_id']])->where(['id' =>
$this->id])->first();
$groupId
= $user->group_id;
}
if
(!$groupId) {
return
null;
}
return
['Groups' => ['id' => $groupId]];
}
10)
Configuring Permissions
Configuring permissions using the ACL shell,it
will create entry in aros_acos table.
First, find the IDs of each group you want
to grant permissions on. There are several ways of doing this. Since we will be
at the console anyway, the quickest way is probably to run bin/cake acl view
aro to view the ARO tree. In this example, we will assume the Administrator,
Manager, and User groups have IDs 1, 2, and 3 respectively.
- Grant members of the Administrator group permission to
everything
- Run bin/cake acl grant Groups.1 controllers
- Grant members of the Manager group permission to all
actions in Posts and Widgets
- Run bin/cake acl deny Groups.2 controllers
- Run bin/cake acl grant Groups.2 controllers/Posts
- Run bin/cake acl grant Groups.2 controllers/Widgets
- Grant members of the User group permission to view Posts
and Widgets
- Run bin/cake acl deny Groups.3 controllers
- Run bin/cake acl grant Groups.3 controllers/Posts/index
- Run bin/cake acl grant Groups.3 controllers/Posts/view
- Run bin/cake acl grant Groups.3 controllers/Widgets/index
- Run bin/cake acl grant Groups.3 controllers/Widgets/view
- Allow all groups to logout
- Run bin/cake acl grant Groups.2 controllers/Users/logout
- Run bin/cake acl grant Groups.3 controllers/Users/logout
Comments
Post a Comment