Simple Acl controlled Application with cakephp

What is ACL? ACL or Access Control List is a common means to control access to applications or sites at a granular level. The basic premise is simple; you have ‘whos’ and ‘whats’. The combination determines who can access what. Why ACL? Unless you want access all or nothing, you need to consider ACLs. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Requirements:
  • A running web server (eg:Apache )
  • A database server (eg:MySQL)
  • Basic PHP knowledge
Steps to Implement ACL:
  • Get a fresh copy of CakePhP
  • To get a fresh download, visit the CakePhP project at Cake forge: http://github.com/cakephp/cakephp/downloads and download the stable release.
  • Configure database.php and core.php.
  • Once you’ve got a fresh copy of cake setup your database.php configure file, and change the value of Security. Salt in your app/config/core.php.
  • Create Database and tables.
  • We will build a simple database schema to build our application on. Execute the following SQL statements into your database.
CREATE TABLE users (
 id INT(11) NOT NULL AUTO_INCREMENT PRIMARY KEY,
 username VARCHAR(255) NOT NULL UNIQUE,
 password CHAR(40) NOT NULL,
 group_id INT(11) NOT NULL,
 created DATETIME,
 modified DATETIME
 );
CREATE TABLE groups (
 id INT(11) NOT NULL AUTO_INCREMENT PRIMARY KEY,
 name VARCHAR(100) NOT NULL,
 created DATETIME,
 modified DATETIME
 );
CREATE TABLE posts (
 id INT(11) NOT NULL AUTO_INCREMENT PRIMARY KEY,
 user_id INT(11) NOT NULL,
 title VARCHAR(255) NOT NULL,
 body TEXT,
 created DATETIME,
 modified DATETIME
 );
Create models, controllers, and views: These are the tables we will be using to build the rest of our application. Once we have the table structure in the database we can start cooking. Use cake bake to quickly create your models, controllers, and views. Implement Auth: In App Controller add the following
class AppController extends Controller {
var $components = array('Acl', 'Auth', 'Session');
var $helpers = array('Html', 'Form', 'Session');
function beforeFilter() {
//Configure AuthComponent
$this->Auth->authorize = 'actions';
$this->Auth->loginAction = array('controller' => 'users', 'action' => 'login');
$this->Auth->logoutRedirect = array('controller' => 'users', 'action' => 'logout');
$this->Auth->loginRedirect = array('controller' => 'posts', 'action' => 'add');
}
}
Initialize the Db Acl tables (create your ACL database tables) Before we create any users or groups we will want to connect them to the Acl. However, we do not have any Acl tables at this time and if you try to view any pages right now, you will get a missing table error (“Error: Database table acos for model Aco was not found.”). To remove these errors we need to run a schema file. In a shell run the following: style=”text-align: justify;”>cake schema create DbAcl This schema will prompt you to drop and create the tables. Say yes to dropping and creating the tables. Acts as a Requester For Auth and Acl to work properly we need to associate our users and groups to rows in the Acl tables. In order to do this we will use the AclBehavior. The AclBehavior allows for the automatic connection of models with the Acl tables. Its use requires an implementation of parent Node () on your model. In User model we will add the following.
">var $name = 'User';
var $belongsTo = array('Group');
var $actsAs = array('Acl' => array('type' => 'requester'));
function parentNode() {
if (!$this->id && empty($this->data)) {
return null;
}
if (isset($this->data['User']['group_id'])) {
$groupId = $this->data['User']['group_id'];
} else {
$groupId = $this->field('group_id');
}
if (!$groupId) {
return null;
} else {
return array('Group' => array('id' => $groupId));
Then in Group Model add the following:
var $actsAs = array('Acl' => array('type' => 'requester'));
function parentNode() {
return null;
}
The controllers and models are now prepped for adding some initial data and Group and User models are bound to the Acl table. So add some groups and users using the baked forms by browsing to: //example.com/groups/add and: //example.com/users/add. We have made the following groups:
  • administrators
  • managers
  • users
Create ACOs (Access Control Objects): Now that we have our users and groups (arose), we can begin inputting our existing controllers into the Acl and setting permissions for our groups and users, as well as enabling login / logout.

Our ARO are automatically creating them when new users and groups are created. What about a way to auto-generate ACOs from our controllers and their actions? Well unfortunately there is no magic way in CakePhP core to accomplish this. The core classes offer a few ways to manually create ACO’s though. You can create ACO objects from the Acl shell or you can use the AclComponent. Creating Acos from the shell looks like: cake acl create aco root controllers While using the AclComponent it would look like:

$this->Acl->Aco->create(array('parent_id' => null, 'alias' => 'controllers'));
$this->Acl->Aco->save();
Both of these examples would create our ‘root’ or top level ACO which is going to be called ‘controllers’. The purpose of this root node is to make it easy to allow/deny access on a global application scope, and allow the use of the Acl for purposes not related to controllers/actions such as checking model record permissions. Add action path to AppController As we will be using a global root ACO we need to make a small modification to our AuthComponent configuration. AuthComponent needs to know about the existence of this root node, so that when making ACL checks it can use the correct node path when looking up controllers/actions. In AppController add the following to the before Filter:$this->Auth->actionPath = ‘controllers/’; Setting Permissions
style="text-align: justify;">In Controller add a function to allow and deny access
style="text-align: justify;">$this->Acl->allow($aroAlias, $acoAlias);
eg: -$group =& $this->User->Group;
$this->Acl->deny($group, 'controllers');
$this->Acl->allow($group, 'controllers/Posts/add');
Or in cmd:
grant   [] or all
Use this command to grant ACL permissions. Once executed, the ARO
specified (and its children, if any) will have ALLOW access to the
specified ACO action (and the ACO's children, if any).
For more detailed parameter usage info,
see help for the 'create' command.
deny   []or all
Use this command to deny ACL permissions. Once executed, the ARO
specified (and its children, if any) will have DENY access to the
specified ACO action (and the ACO's children, if any).
For more detailed parameter usage info,
see help for the 'create' command.

All done You should now have an application controlled by Auth and Acl.