Comments on: Limit Data by User with CakePHP http://blogchuck.com/2010/06/limit-data-by-user-with-cakephp/ how much blog can blogchuck blog Fri, 16 Sep 2011 03:57:04 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: Chuck Burgess http://blogchuck.com/2010/06/limit-data-by-user-with-cakephp/comment-page-1/#comment-313 Chuck Burgess Mon, 20 Jun 2011 00:03:37 +0000 http://blogchuck.com/?p=331#comment-313 This code is designed to limit users only and allow the admin to see ALL users. If you want to limit the ADMIN to only see ADMIN information, you can remove the corresponding code from the beforeSave and beforeFind call backs (if($this->user_id = Configure::read('user_id')){). This code is designed to limit users only and allow the admin to see ALL users. If you want to limit the ADMIN to only see ADMIN information, you can remove the corresponding code from the beforeSave and beforeFind call backs (if($this->user_id = Configure::read(‘user_id’)){).

]]> By: tagman http://blogchuck.com/2010/06/limit-data-by-user-with-cakephp/comment-page-1/#comment-312 tagman Sun, 19 Jun 2011 11:21:30 +0000 http://blogchuck.com/?p=331#comment-312 hi chunck I got problem when login as admin I see data same user see My app use acl plugin to manage 4 permission admin,mod,expert,user can you help me to implement your code to my app thank hi chunck
I got problem when login as admin
I see data same user see
My app use acl plugin to manage 4 permission admin,mod,expert,user
can you help me to implement your code to my app
thank

]]> By: Chuck Burgess http://blogchuck.com/2010/06/limit-data-by-user-with-cakephp/comment-page-1/#comment-310 Chuck Burgess Tue, 29 Mar 2011 23:41:45 +0000 http://blogchuck.com/?p=331#comment-310 They should be. If they are not, you can add the callback to your independent model with the following: function {callback}() { parent::{callback}(); } Just replace {callback} with the callback function you are performing: beforeSave, beforeFind, etc. They should be. If they are not, you can add the callback to your independent model with the following:

function {callback}() {
parent::{callback}();
}

Just replace {callback} with the callback function you are performing: beforeSave, beforeFind, etc.

]]> By: lyba http://blogchuck.com/2010/06/limit-data-by-user-with-cakephp/comment-page-1/#comment-309 lyba Tue, 29 Mar 2011 16:58:30 +0000 http://blogchuck.com/?p=331#comment-309 There is a major problem with this approach - it only works for the main model. Callbacks are not executed for dependent models. If you display dependent models on your forms they will be displayed regardless of the user_id set on them. I need to look for another solution or continue with updating all controllers. No quick wins so far. :( Thanks anyway There is a major problem with this approach – it only works for the main model. Callbacks are not executed for dependent models.

If you display dependent models on your forms they will be displayed regardless of the user_id set on them.

I need to look for another solution or continue with updating all controllers. No quick wins so far. :(

Thanks anyway

]]> By: Chuck Burgess http://blogchuck.com/2010/06/limit-data-by-user-with-cakephp/comment-page-1/#comment-304 Chuck Burgess Tue, 29 Mar 2011 13:12:57 +0000 http://blogchuck.com/?p=331#comment-304 Thank you for your feedback Iyba. I am glad you find it useful. I also appreciate the perspective of others. Your perspective helps improve this code. Thank you for posting. Thank you for your feedback Iyba. I am glad you find it useful. I also appreciate the perspective of others. Your perspective helps improve this code. Thank you for posting.

]]> By: lyba http://blogchuck.com/2010/06/limit-data-by-user-with-cakephp/comment-page-1/#comment-302 lyba Tue, 29 Mar 2011 06:59:29 +0000 http://blogchuck.com/?p=331#comment-302 This is exactly what I set to find on internet today. Took me 5 minutes, great. I like it very much. Now, I have one concern. Above solution is assuming admin/no admin roles. And assumes authentication does not allow non users to access models in question. Although these assumptions make the solution safe, they make it limited. In systems where access should be restricted to owner data (e.g. medical data should not be available to admins, non doctors) and is rather role based then an admin/no admin attribute above solution is missing prevent access feature. If user_id is not set filter will return all rows. Imagine, you have not set up properly login/non login access to a certain model. The same goes for save. If user_id is not set it will allow saving any hacked id. The simple solution is to add a line to both methods: else (user_id not set) impossible to meet condition (- to return empty set) Still the idea is great and I will expand it to my needs. I thought I will point the above out so if you intend to expand the solution you have it in mind. This is exactly what I set to find on internet today. Took me 5 minutes, great. I like it very much.

Now, I have one concern. Above solution is assuming admin/no admin roles. And assumes authentication does not allow non users to access models in question. Although these assumptions make the solution safe, they make it limited.

In systems where access should be restricted to owner data (e.g. medical data should not be available to admins, non doctors) and is rather role based then an admin/no admin attribute above solution is missing prevent access feature. If user_id is not set filter will return all rows. Imagine, you have not set up properly login/non login access to a certain model. The same goes for save. If user_id is not set it will allow saving any hacked id.

The simple solution is to add a line to both methods:
else (user_id not set)
impossible to meet condition (- to return empty set)

Still the idea is great and I will expand it to my needs. I thought I will point the above out so if you intend to expand the solution you have it in mind.

]]> By: Chuck Burgess http://blogchuck.com/2010/06/limit-data-by-user-with-cakephp/comment-page-1/#comment-300 Chuck Burgess Mon, 10 Jan 2011 14:13:27 +0000 http://blogchuck.com/?p=331#comment-300 The beforeFind will limit what the user will see after they log in. Keep in mind the idea behind the way this was written was to limit the user to only see their own data. If you want everyone to see ALL data, then remove the beforeFind in app_model. The beforeFind will limit what the user will see after they log in. Keep in mind the idea behind the way this was written was to limit the user to only see their own data. If you want everyone to see ALL data, then remove the beforeFind in app_model.

]]> By: Sean http://blogchuck.com/2010/06/limit-data-by-user-with-cakephp/comment-page-1/#comment-299 Sean Mon, 10 Jan 2011 13:25:30 +0000 http://blogchuck.com/?p=331#comment-299 Hi Chuck, thanks for this great explanation, the code works well. However, I'm wondering if you could help as I'm a bit confused with how the beforeFilter() works in this case. In the Posts Controller there is, for example: function beforeFilter() { parent::beforeFilter(); $this->Auth->allowedActions = array('index'); } When not logged in, a user can see all posts in the index but when logged in, they can only see their own posts. I'd like them to still see all the posts in index but only be able to edit their own eg. $this->Auth->deny('delete','edit','add'). How does this work with this function? Should the beforeFilter be in the Model? Sorry if I've missed something glaringly obvious! Hi Chuck, thanks for this great explanation, the code works well.

However, I’m wondering if you could help as I’m a bit confused with how the beforeFilter() works in this case.

In the Posts Controller there is, for example:
function beforeFilter() {
parent::beforeFilter();
$this->Auth->allowedActions = array(‘index’);
}

When not logged in, a user can see all posts in the index but when logged in, they can only see their own posts.

I’d like them to still see all the posts in index but only be able to edit their own eg. $this->Auth->deny(‘delete’,'edit’,'add’).
How does this work with this function? Should the beforeFilter be in the Model?
Sorry if I’ve missed something glaringly obvious!

]]> By: Chuck Burgess http://blogchuck.com/2010/06/limit-data-by-user-with-cakephp/comment-page-1/#comment-295 Chuck Burgess Tue, 28 Sep 2010 20:34:22 +0000 http://blogchuck.com/?p=331#comment-295 I am still trying to put together a good solution on the UI side of things for navigation. However, I simple set up some elements and call them based on the Auth.User.role in the layout something like this: <div id="nav_bar"> <?php if ($this->Session->read('Auth.User.role') == 'Admin') { echo $this->element('admin'); } else { echo $this->element('main_nav'); } } ?> </div> I am still trying to put together a good solution on the UI side of things for navigation. However, I simple set up some elements and call them based on the Auth.User.role in the layout something like this:

]]> By: moflint http://blogchuck.com/2010/06/limit-data-by-user-with-cakephp/comment-page-1/#comment-294 moflint Tue, 28 Sep 2010 10:16:14 +0000 http://blogchuck.com/?p=331#comment-294 So I've read the whole thing (really ought to do that before commenting!) and I like your solution :-) I'm wondering what solution you have for menus/UI. What logic do you use to make visible/hide options from unauthorised users? I am thinking of a single 'centralized' method for both the SQL limiting and the UI options. So I’ve read the whole thing (really ought to do that before commenting!) and I like your solution :-)

I’m wondering what solution you have for menus/UI. What logic do you use to make visible/hide options from unauthorised users? I am thinking of a single ‘centralized’ method for both the SQL limiting and the UI options.

]]>