CakePHP 2.x ACL - Control at owner level

Question

I am able to control my application using ACL, everything done perfectly and application is working smooth with ACL and Auth.

Now the problem is:

I have two tables, users and posts. there is no RBAC (role based access control). I am setting deny and allow for each user like follow.

//allow User1 to do everything
$user->id=1;
$this->ACL->allow($user,'controllers');

//allow User2 to add, edit and view the posts 
$user->id=2;
$this->Acl->deny($user, 'controllers');
$this->Acl->allow($user, 'controllers/Posts');

but here I am getting one problem:

user2 is getting access to edit the posts of user1.

example:

User1 created a post1.

now User2 logged in now he can edit the User1's post (i.e. post1- /localhost/myApp/posts/edit/1)

Question: How can I set ACL permission to this problem, The owner of the post can only edit the post and others can not.

I can achieve this in controller level simply checking

if($_SESSION['Auth']['User']['id'] == $Post['Post']['user_id']){
    // you're the owner, so u can edit
}else{
    //u cant edit, this is not ur post
}

but I need ACL to work here, Is it possible?, Please help

Thanks

Answer 1

here's how I would do

first of all tell Cake that Post model is an ACO

 // Post.php model file
 $actsAs = array('Acl' => array('type' => 'controlled'));

this way every time you create a new post cake will automatically create an item in the acos table.

pay attention: you'll have to manually create the node for the previously created Posts, this way:

// for every Post in your posts table

$this->Acl->Aco->create(array('alias' => 'Post', 'id' => 123));
$this->Acl->Aco->save();

then you have to define a parentNode() function in your Post Model file

// Post.php model file
public function parentNode() {
    return null;
}

Now the ACL auth handler check form permission just at an action level. In other words it just checks that you're allowed to access the action. Then it demands other checks at a controller level by the isAuthorized() function.

so first you have to set the permission for every node

$this->Acl->allow($user, 'controllers/Posts/edit/123')

then in your controller you have to do

 // PostsController.php 
 public function isAuthorized($user = null) {

    if ($this->request->action === 'edit') {
        $user = // retrieve the user array. i.e. from Session
        $post_id = $this->request->$this->request->pass[0];
        $post = array('alias' => 'Post', 'id' => $post_id );
        return this->Acl->check($user, $post);
    }
    return parent::isAuthorized($user);
}

you can also implement parentNode() function to return the owner of the Post instead of null

// Post.php model file

// just an hint, the actual code should be 
// a bit more complex
public function parentNode() {
    $user_id = $this->field('user_id');
    return array('User' => array('id' => $user_id));
}

this way don't have to set the permission for every single post because cake will check if the user has access to the parent node of the Post (who is a user too). So you just have to set the permission for every user

$this->Acl->allow($user, $user);

If you follow this method remember to set the user as an ACO too

// User.php Model file

$actsAs = array('Acl' => array('type' => 'both'));

I did not test the code above so I guess there are a lot of typos and errors too. If I have time i'll do some tests and improve my answer in the next days