Cake's ACL component and the concept of "ownership"

Question

Hello,

I have been futzing around with Cake's Auth/ACL components. I've read the docs and I've done the tutorial, but I am still not satisfied with what I can actually accomplish with it. I've seen a couple of other approaches, but I can't say as I really have a straight winner with either. In any tutorial/blog post/doc I read, the use case of "ownership" isn't exactly sufficiently covered.

I was hoping to describe my use case and If there's anyone that can suggest an approach, I am all ears, otherwise I might just have to try to do something myself ;o)

---

This basically mimics a simple set of Dr's offices.

Starts out easy enough for AROs:

• Group 1: administrators (of course)
• Group 2: caretakers
• Group 3: members

There is a "hasOne" relationship between groups and users (i.e. a user can only belong to one group).

Now we use a tree structured ACO like Aidan Lister considers:

/root
    /practice
        /practice_profile
        /practice_updates
        /patients
            /entries
            /profiles
            /other_things

Each caretaker will have access to a practice that includes his patients. This gives the caretaker access to anything that the patient writes. On top of this, the patient will ONLY be able to see/edit/etc... anything that he owns. This wasn't specifically covered in any writing that I have read. I know that with filesystem types of permissions this is commonplace, but I don't even want to go down that road...

With Auth/ACL in Cake's core, it doesn't really get into permissions like this. It seems to say "well, if you're part of group X then you can perform function Y." Therefore, it seems like any user that belongs to the members group would have access to all other members' content and all caretakers would have access to all practices.

Has anyone else come across this sort of use case? Any suggestions for further reading? Any known solutions?

EDIT: So all of the answers were great, so upvotes all around. I highly recommend looking at the post that I didn't find, supplied by bancer as it ended up pointing me to some cool things. Ultimately, though, the answers were buried in the docs, I just didn't quite "get it" the first time around. Also, there was an AHA moment when I read the cakeqs link. So answer goes to Benjamin.

Answer 1

Hello Tim.

Any suggestions for further reading?

Good info: http://cakeqs.org/eng/questions/view/how_to_do_row-level_access_control.

The author of the original post is referring to the acl/auth part of the manual in the components section (if you need this as context, too).

It seems to say "well, if you're part of group X then you can perform function Y

Check out the manual's tutorial section (again), it shows how to do groupwise and userwise access right management at the same time.

Kind regards, Benjamin.

Answer 2

The answer is here.

Answer 3

Maybe this will give you some inspiration. It's an extract of the acos table for a CMS I've developed. By using the otherwise apparently unused model column, I get an extra layer of control that lets me set accessibility to pages.

 id    parent_id  model  foreign_key  alias          lft  rght
 1462  1176       page   NULL         about-us       285  286 #display page url
 1515  1176       page   NULL         leo-test       291  292 #display page url
 1195  1176       NULL   NULL         ajaxSetStatus  261  262 #function
 1194  1176       NULL   NULL         walkTree       259  260 #function

Then I do something like this in the controller to see if the current user has permission to view the requested page (user defaults to Anonymous if not logged in):

function view($url=null)
{
    $nD = $this->NodeDescriptor->findByUrl($url);
    if(!$nD) $this->redirect(array('action'=>'error'));
    $user = ($this->Auth->user())?$this->Auth->user():'Anonymous';
    if(!$this->Acl->check($user,"{$url}"))
        $this->redirect($this->referer());
 ...

Answer 4

I didn't see anybody else link to this other Stack Overflow question about ACL which suggests adding a new entry to the actionMap, "editown".

editown