CakePHP 1.2 ACL/Auth The Quest Continues

In a recent post, I had stated that my ACL Quest was complete. Now it continues. Based upon http://realm3.com/ I have started a continuation of the previous Quest. A current project requires that the users have multiple roles(groups) assigned to them. This can be quite benefits in many applications today, so much that I have tried to write this to be available for any HABTM ACL Relationship. I have setup Cake 1.2 with a users table, groups table, and a HABTM groups_users table. The following is a sql dump of the 3 tables.

-- phpMyAdmin SQL Dump
-- version 2.10.0.2
-- http://www.phpmyadmin.net
--
-- Host: localhost
-- Generation Time: Jan 26, 2008 at 03:58 PM
-- Server version: 5.0.37
-- PHP Version: 4.4.4

SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";

--
-- Database: `cms`
--

-- --------------------------------------------------------

--
-- Table structure for table `groups`
--

CREATE TABLE `groups` (
  `id` smallint(5) unsigned NOT NULL auto_increment,
  `name` varchar(50) collate utf8_bin default NULL,
  `description` text collate utf8_bin,
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 COLLATE=utf8_bin AUTO_INCREMENT=10 ;

-- --------------------------------------------------------

--
-- Table structure for table `groups_users`
--

CREATE TABLE `groups_users` (
  `id` int(10) unsigned NOT NULL auto_increment,
  `group_id` int(10) unsigned NOT NULL,
  `user_id` int(10) unsigned NOT NULL,
  PRIMARY KEY  (`id`),
  KEY `group_id` (`group_id`,`user_id`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 COLLATE=utf8_bin COMMENT='Group User HABTM Relational Table' AUTO_INCREMENT=51 ;

-- --------------------------------------------------------

--
-- Table structure for table `users`
--

CREATE TABLE `users` (
  `id` int(10) unsigned NOT NULL auto_increment,
  `username` varchar(250) collate utf8_bin NOT NULL default '',
  `password` varchar(250) collate utf8_bin NOT NULL default '',
  `active` tinyint(1) unsigned NOT NULL default '1',
  `created` datetime default NULL,
  `modified` datetime default NULL,
  PRIMARY KEY  (`id`),
  UNIQUE KEY `username` (`username`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 COLLATE=utf8_bin COMMENT='User Data Information' AUTO_INCREMENT=17 ;

 

The first thing we need to address is the parent_node function in the Groups table. For the Groups table we don't want groups to parent to anything but the root so we have this return it as null in the parentNode function, which is called by the ACLBehavior. More on this in a minute. We also set the HABTM Relationship here, with the minimal assignments. There are no special finderQuerys needed for this example.

<?php
class Group extends AppModel {
    var $name = 'Group';
    var $actsAs = array('Acl'=>'requester');

    var $hasAndBelongsToMany = array(
        'User' => array(
            'className'             => 'User',
            'joinTable'             => 'groups_users',
            'foreignKey'            => 'user_id',
            'associationForeignKey' => 'group_id',
            'uniq'                  => true,
        )
    );
       
    function parentNode()
    {
        return null;
    }
}

?>

 

Next we address the Users Model. Here, because of the HABTM relationship to Groups, we have to adjust the parentNode in the model. I have left out the validation aspects for brevities sake. As you can see here, this model $actsAs CustomACL. The parenNode has also been restructured to parse the multiple groups assigned to the User data. This is all pretty straight forward.

<?php
class User extends AppModel {

    var $name = 'User';
    var $actsAs = array( 'CustomAcl'=>'requester' );
    var $displayField = 'username';

    var $hasAndBelongsToMany = array(
        'Group' =>
            array(
                'className'             => 'Group',
                'joinTable'             => 'groups_users',
                'foreignKey'            => 'group_id',
                'associationForeignKey' => 'user_id',
                'uniq'                  => true,
            )
    );
       
    function checkUnique($data, $fieldName) {
        $valid = false;
        if(isset($fieldName) && $this->hasField($fieldName))
        {
            $valid = $this->isUnique(array($fieldName => $data));
        }
        return $valid;
    }

    function parentNode() {
        if (!$this->id) {
            return null;
        }
        $data = $this->read();
        $aroArray = array();
        if (!$data['Group']){
            return null;
        } else {
            foreach($data['Group'] as $key)
            {
                $aroArray[] = array('model' => 'Group', 'foreign_key' => $key['id']);
            }
            return $aroArray;
        }
    }

    function validLogin($data)
    {

        $user = $this->find(array('username' => $data['User']['username'], 'password' => ($data['User']['password'])), array('id','username', 'password'));
        if(!empty($user)){
            $this->user = $user['User'];
            return TRUE;
        }
        else
        {
            return FALSE;
        }
    }
}
?>

 

 

Now we go to work on the CustomAclBehavior. This is basically a direct copy of the AclBehavior from the Cake core library. There are2 main differences between this behavior, and the core AclBehavior.

  1. afterSave(&$model, $created)
  2. beforeDelete(&$model)

Restructured to parse multi-dimensional parents Array passed from parentNode.Also restructured code to allow for HABTM associations in the {$type} to be erased before assigning new associations. Without this, the old ARO's were not being erased, and simply adding to the ARO Tree.Alias has been set now. In the original AclBehavior, the alias was not being set. I have assigned it here based upon $displayField so as to be reuseable by other models if need be. This also means that you should be sure to set your models displayField implicitly to ensure that the correct alias is set. This was changed from afterDelete(&$model) to be able to access the model data so as to remove multiple group assignments in the ACO/ARO as the case may be.

<?php
class CustomAclBehavior extends ModelBehavior {
/**
 * Maps ACL type options to ACL models
 *
 * @var array
 * @access protected
 */
    var $__typeMaps = array('requester' => 'Aro', 'controlled' => 'Aco');
/**
 * Sets up the configuation for the model, and loads ACL models if they haven't been already
 *
 * @param mixed $config
 */
    function setup(&$model, $config = array()) {
        if (is_string($config)) {
            $config = array('type' => $config);
        }
        $this->settings[$model->name] = am(array('type' => 'requester'), $config);
        $type = $this->__typeMaps[$this->settings[$model->name]['type']];

        if (!ClassRegistry::isKeySet($type)) {
            uses('model' . DS . 'db_acl');
            $object =& new $type();
        } else {
            $object =& ClassRegistry::getObject($type);
        }
        $model->{$type} =& $object;
        if (!method_exists($model, 'parentNode')) {
            trigger_error("Callback parentNode() not defined in {$model->name}", E_USER_WARNING);
        }
    }
/**
 * Retrieves the Aro/Aco node for this model
 *
 * @param mixed $ref
 * @return array
 */
    function node(&$model, $ref = null) {
        $type = $this->__typeMaps[low($this->settings[$model->name]['type'])];
        if (empty($ref)) {
            $ref = array('model' => $model->name, 'foreign_key' => $model->id);
        }
        return $model->{$type}->node($ref);
    }
/**
 * Creates new ARO/ACO nodes bound to this record
 *
 * @param boolean $created True if this is a new record
 */
    function afterSave(&$model, $created) {
        $type = $this->__typeMaps[low($this->settings[$model->name]['type'])];
        $parents = $model->parentNode();
        $data = $model->read();
        $parentArray = array();
        if (!empty($parents)) {
            foreach ($parents as $parent)
            {
                $parentArray[] = $this->node($model, $parent);
            }
        } else {
            $parent = null;
        }
        $nodes = $this->node($model);
        if (!empty($nodes)) {
            foreach ($nodes as $node)
            {
                if($model->{$type}->deleteAll(array('alias' => $data[$model->name][$model->displayField])))
                {
                    $return = TRUE;
                }
            }
        }
        foreach ($parentArray as $parent)
        {
                $model->{$type}->create();
                $model->{$type}->save(array(
                'parent_id'     => Set::extract($parent, "0.{$type}.id"),
                'model'         => $model->name,
                'foreign_key'   => $model->id,
                'alias'         => $data[$model->name][$model->displayField]
            ));
        }
    }
/**
 * Destroys the ARO/ACO nodes bound to the deleted record
 *
 */
    function beforeDelete(&$model) {
        $data = $model->read();
        $return = FALSE;
        $type = $this->__typeMaps[low($this->settings[$model->name]['type'])];
        $nodes = $this->node($model);
        if (!empty($nodes)) {
            foreach ($nodes as $node)
            {
                if($model->{$type}->deleteAll(array('alias' => $data[$model->name][$model->displayField])))
                {
                    $return = TRUE;
                }
            }
        }
       
        return $return;
    }
   
}  
?>

 

And that's all there is to it. Combined with the previous post I had set, and Brian's post This has become a seriously extensible ACL/AUTH System. Any questions don't be afraid to ask.

Created: Thu, Jan 24th 2008, 18:39 Modified: Wed, Jul 21st 2010, 09:18

Comments

On Thu, Jan 24th 2008, 19:48

FUZZI Said:

It would be really great if someone could setup a working live example of this and put the whole source code online.
On Sun, Jan 27th 2008, 16:14

T73Net Said:

Sure. Once I get the Blog set back up and functional, I'll see what I can do to accommodate this request. Until then let me know if you have any questions.
On Tue, Feb 26th 2008, 11:20

lightglitch Said:

Can you post your beforeFilter in AppController code because I'm having trouble in getting the login to work.
On Tue, Feb 26th 2008, 12:09

lightglitch Said:

I found out my problem, no need to post anything anymore.
On Thu, Mar 27th 2008, 00:57

sakhunzai Said:

This is an excellent thing but i got in to trouble with this implementation ! Can you help me ? Few questions : 1- A user is assinged to more than one group how you will create ARO for the user?Which group id will be inserted into parent_node entry for USER aro record as there are multiple parents !!! 2. If you are not able to create the ARO how other way you can authenticate user actions e.g w.r.t POST (add/edit/delete) as these actions require low level definition ARO /ACOs Did you get me ? thanking you in advance .
On Thu, Jul 3rd 2008, 00:57

diagnostix Said:

Hi, your post was exactly what i was looking for. I managed to get it work except that when I add new users, it throws up this warning. Warning (512): AclNode::node() - Couldn't find Aro node identified by "Array ( [Aro0.model] => User [Aro0.foreign_key] => 21 ) " [CORE\cake\libs\model\db_acl.php, line 196] But everything still seems ok, the multiple aros get created and so. From what i can tell, it's saying it can't find the record in the Aro for User/21, so this must be triggered before the record was inserted? Any clue? it's driving me crazy....
On Wed, Aug 27th 2008, 16:37

zick Said:

I think there is a bug in the code. In the User model, it should be 'foreignKey' => 'user_id', 'associationForeignKey' => 'group_id', And in the Group model, it should be 'foreignKey' => 'group_id', 'associationForeignKey' => 'user_id', Correct me if I'm wrong...
On Mon, Sep 22nd 2008, 17:16

Sam Said:

Great job ! Works great. I just change component name and add import because we just want to override default AclBehavior. It looks like that: [code] __typeMaps[low($this->settings[$model->name]['type'])]; if (empty($ref)) { $ref = array('model' => $model->name, 'foreign_key' => $model->id); } return $model->{$type}->node($ref); } /** * Creates new ARO/ACO nodes bound to this record * * @param boolean $created True if this is a new record */ function afterSave(&$model, $created) { $type = $this->__typeMaps[low($this->settings[$model->name]['type'])]; $parents = $model->parentNode(); $data = $model->read(); $parentArray = array(); if (!empty($parents)) { foreach ($parents as $parent) { $parentArray[] = $this->node($model, $parent); } } else { $parent = null; } $nodes = $this->node($model); if (!empty($nodes)) { foreach ($nodes as $node) { if($model->{$type}->deleteAll(array('alias' => $data[$model->name][$model->displayField]))) { $return = true; } } } foreach ($parentArray as $parent) { $model->{$type}->create(); $model->{$type}->save(array( 'parent_id' => Set::extract($parent, "0.{$type}.id"), 'model' => $model->name, 'foreign_key' => $model->id, 'alias' => $data[$model->name][$model->displayField] )); } } /** * Destroys the ARO/ACO nodes bound to the deleted record */ function beforeDelete(&$model) { $data = $model->read(); $return = false; $type = $this->__typeMaps[low($this->settings[$model->name]['type'])]; $nodes = $this->node($model); if (!empty($nodes)) { foreach ($nodes as $node) { if($model->{$type}->deleteAll(array('alias' => $data[$model->name][$model->displayField]))) { $return = TRUE; } } } return $return; } } ?> [/code]
On Mon, Sep 22nd 2008, 17:23

Sam Said:

Sorry for formatting ! You should post your code in the bakery... I added before class declaration: App::import('Behavior', 'Acl'); Changed the name to AppAclComponent and removed the startup method...
On Mon, Mar 23rd 2009, 15:24

Amit Said:

Any chance of putting up fully working sample code? I'm going through this right now and it would be great to have something to reference against.
On Wed, Jul 22nd 2009, 02:47

Alain Said:

Hello, first of all thank you for the great post. when I add a user i get: AclNode::node() - Couldn't find Aro node identified by "Array ( [Aro0.model] => User [Aro0.foreign_key] => 6 ) " [CORE/cake/libs/model/db_acl.php, line 191] but in the aros table i can see the row of user with the foreign key of 6 This only happens in the creation of the user, in the update no errors were thrown.
On Tue, Sep 1st 2009, 23:38

derhong Said:

You need to modify several places in the codes to make it work. 1. In model/group.php make sure 'foreignKey' => 'group_id', 'associationForeignKey' => 'user_id', 2. In model/user.php make sure 'foreignKey' => 'user_id', 'associationForeignKey' => 'group_id', 3. In the afterSave() method in CustomAclBehavior class if it is a new (user) record, we can skip delete all nodes related to the user, therefore, we should include codes in an if statement: if ( !$created ){ $nodes = $this->node($model); if (!empty($nodes)) { foreach ($nodes as $node) { if($model->{$type}->deleteAll(array('alias' => $data[$model->name][$model->displayField]))) { $return = TRUE; } } } } This can resolve the "AclNode::node() - Couldn't find Aro node identified by "Array ( [Aro0.model] => User [Aro0.foreign_key] => 6 ) " [CORE/cake/libs/model/db_acl.php, line 191]" warning.
On Sat, Sep 5th 2009, 00:25

Damien Said:

Well, in order to make this code to work, you'll have to do what derhon said. But there's also another problem : into the Model Group (group.php), the variable $actAs must describe customAcl AND Acl, in order to let Cake create the aro record in the Aro database (and not into the aco database, as Acl use to do when no information are provided to $actAs...) new code in {app}/models/group.php : var $actsAs = array( 'CustomAcl'=>'requester','Acl' => 'requester' );
On Wed, Dec 2nd 2009, 16:38

Dragonjc Said:

Just one question, this work is fine for me. But i need to have a tree of group, so my group table lok like this : 
CREATE TABLE `eff_com_groups` (
  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
  `parent_id` int(10) unsigned DEFAULT NULL,
  `lft` int(10) unsigned NOT NULL,
  `rght` int(10) unsigned NOT NULL,
  `libelle` varchar(50) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL,
  `description` text CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 ROW_FORMAT=DYNAMIC AUTO_INCREMENT=8 ;
So my questions are : - is it necessary to add a parentnode to into group model - how can i do this, i learn a lot about ACL and see how to do, but don't understand really how it works with cake
On Fri, Jan 15th 2010, 01:58

freedwsda Said:

'foreignKey' => 'group_id', 'associationForeignKey' => 'user_id', 2. In model/user.php make sure 'foreignKey' => 'user_id', 'associationForeignKey' => 'group_id', 3. In the afterSave() ccda exam method in CustomAclBehavior class if it is a new (user) record, we can skip delete all nodes related to the user, ccdp certification therefore, we should include codes in an if statement: if ( !$created ){ $nodes = $this->node($model); if (!empty($nodes)) { foreach ($nodes as $node) testking ccie { if($model->{$type}->deleteAll(array('alias' => $data[$model->name][$model->displayField]))) { $return = TRUE; } } } } This can resolve the "AclNode::node() - Couldn't find Aro node identified by "Array ( [Aro0.model] => User [Aro0.foreign_key] => 6 ) " [CORE/cake/libs/model/db_acl.php, line 191]" warning.
On Mon, Feb 15th 2010, 04:14

Natali Said:

Well, this is a very valuable post. Thanks for the information you provided. It would be great if got more post like this. I appreciate it
On Wed, May 12th 2010, 16:51

Seth Said:

I'm having trouble getting this working. CakePHP seems to want to use the core ACL still, rather than the customer behavior. Do you know if this works with CakePHP 1.2.5?
On Wed, Jul 21st 2010, 09:18

Andre Said:

Hi, your post works fine, but I've two problems: 1. by adding or editing a group, the choosen users aren't saved to aro table (but in my groups_users relation table) 2. by editing or deleting a user without any group, I get the error 'AclNode::node() - Couldn't find Aro node identified by ...'. (because there is no aro for this user) Has anyone a solution? I have tried it, but my experience in cakephp is short.
Add Comment