CakePHP ACL Tutorial: Auth Component Example

View full index of ACL Tutorial Articles

The following example should provide a quick overview of how the ACL Component is used to restrict site access, if it is used in conjunction with the built-in Authentication Component.

1. Betty Crocker attempts to visit the url:

http://www.cakephp.org/recipes/edit

2. Parsing the URL

When the request is made, the Authentication Component determines that the requested URL corresponds to the controller named Recipes and the action named edit which corresponds to the action type of update.

3. Is Page Restricted?

The Authentication Component determines that access to this combination of controller and action is restricted, so checks to see if the user has been logged in.

4. Display Login Form

Since the user has not been logged in, the Authentication Component redirects the user to a login form which requests a username and password.

5. Match Username

After submitting the form with a username and password that match an entry in the user database, the Authentication Component determines that the user’s name is bettycrocker.

6. Ask ACL For Access

The Authentication Component asks the ACL Component if the user named bettycrocker is allowed to update models governed by the Recipes controller.

7. ACL Determines Access

The ACL Component then examines it’s data tables and discovers that the user bettycrocker has no explicitly set permissions for any pages of the site. It determines, however, that she is a member of the chefs group, and that any user in the group chefs has the ability to update Recipes, so the ACL Component responds that,

since bettycrocker is a chef, she has the inherited permission to update recipes.

8. Auth Delivers Page

Upon learning about this right of access, the Authentication Component directs the user to the requested page. Had permission not been granted, any one of a number of alternate pages would be displayed depending on how the Authentication Component

Key Point: ACL Must Be Used With A User Login System

What the example should make clear is that in this type of usage, the ACL Component’s job is to check to see if a submitted user
has particular permissions, inherited or explicitly set, for a submitted page.

Therefore, the ACL Component must be used in conjunction with a component that does the following:

• stores usernames and passwords;
• collects a username and password from a login form;
• matches the username and password to the stored values;
• upon a successful match, submits this username to the ACL component along with information about the page being requested;

• either displays the requested page or redirects the user to another page depending on whether the ACL component provides access to the requested page;

The built-in Authentication Component is a natural choice to use for the needed user login system.

Next Tutorial: Usage With Auth Component

Monday April 14, 2008