Cakephp ACL操作模式与CRUD模式
我正在学习cakephp的ACL功能。我已经浏览过 cakephp 文档。为了了解更多信息,我检查了一些 ACL 插件的代码/数据库,例如 croogo 和 alaxos ACL 插件。我可以看到在aros_acos表中,有_create、_read、_update和_delete等列。从这些示例(croogo/alaxos)中,对于一个操作,例如:-添加(在用户控制器下),我可以在 _create、_read、_update 和 _delete 列中看到该值为 1 1 1 1。正如名称所示,add 只能映射到 _create (1 0 0 0),对吗?另外,在这种情况下我们需要 4 列吗?
我对操作模式和 CRUD 模式感到困惑。在我的应用程序中,除了 CRUD 之外,还有一些功能,例如批准、拒绝等。我需要为这些操作添加列吗?或者 mapactions 适合这种情况(在这种情况下,我是否需要映射控制器中的所有操作)?另外,在我的应用程序中,我需要授予所有者编辑和所有者删除权限。如何用 Cakephp ACL 以更好的方式完成所有这些?
I am learning the ACL feature of cakephp. I have gone though cakephp docs. For learning more, I have checked the code/db of some ACL plugins like croogo and alaxos ACL plugin. I can see that in aros_acos table, there are columns like _create, _read, _update and _delete. From those examples (croogo/alaxos), for an action, for example:- add (under users controller), I can see the value as 1 1 1 1 in _create, _read, _update and _delete columns. As the name indicates add should only be mapped to _create (1 0 0 0), right ? Also, in this scenario do we need 4 columns ?
Im confused with the action mode with the CRUD mode. In my application, there are some features like approve, reject etc other than CRUD. Do I need to add columns for these actions ? Or mapactions will be suitable for this (in that case, do I need to map all actions in the controller) ? Also, in my app I need to give the owner edit and owner delete permissions . How to do all these with the Cakephp ACL in a better way ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这取决于您想用 Acl 做什么。您在 Croogo 或 Alaxos Acl 插件(顺便说一下,我的插件)中看到的是使用 Acl 来允许/拒绝对某些操作的访问。
这是通过结合使用 AuthComponent 和 AclComponent 来实现的。执行此操作时,如果您查看 Cake 代码,就会发现权限检查是在
DbAcl类中通过以下方法完成的:该方法可能需要三个参数。
对该函数的调用是由下一行的
authorize()函数中的ActionsAuthorize类完成的:这显然是一个没有第三个参数的调用。
那么第三个参数基本上是什么?这是处理 aros_acos 数据表的 _xxx 字段的方法。因此,这意味着 Auth+Acl 组件不使用这些 _xxx 字段来检查权限。
实际上它们是被使用的,但不同的是:当不使用第三个参数时,所有字段设置为
1表示允许,如果一个或多个字段设置为-1,表示拒绝。就我个人而言,对于 Alaxos Acl 插件,我选择将所有这些字段设置为
-1进行拒绝,只是为了更加清晰。对于您的应用程序,如果其“功能”映射到操作,您可能会忘记这些 _xxx 字段并使用核心 Auth+Acl 机制。
关于您的最后一个问题(所有者编辑和删除),这是 Cake ACL 的常见问题。
答案是,大多数情况下,比较 Object.user_id 和记录的用户 ID 来决定用户是否可以编辑/删除记录会更简单。 Cake ACL 不支持开箱即用的记录所有者。
It depends on what you want to do with Acl. What you have looked at in Croogo or Alaxos Acl plugin (my plugin by the way) is the use of Acl to allow/deny access to some actions.
This is achieved by the use of the AuthComponent and AclComponent together. When doing this, if you look at the Cake code, the permission check is done in the
DbAclclass in the following method:which takes potentially three arguments.
The call to this function is done by the
ActionsAuthorizeclass in theauthorize()function at the following line:which is obviously a call without the third argument.
So basically what is this third argument ? It is the way to take care of the _xxx fields of the aros_acos datatable. So all together this means that the Auth+Acl components do not use these _xxx fields to check permissions.
Well actually they are used, but differently: when the third argument is not used, all fields set to
1means allowed, and if one or more fields are set to-1, it means denied.Personally for the Alaxos Acl plugin, I choosed to set all these fields to
-1for a deny, just for more clarity.Regarding your application, if its 'features' are mapped to actions, you could probably just forget these _xxx fields and use the core Auth+Acl mechanism.
About your last question (owner edit and delete), it is a frequently asked question with Cake ACL.
The answer is most of the time that it is simpler to compare the Object.user_id and the logged user id to decide if a user can edit/delete a record. Cake ACL does not support record's owners out of the box.