CakePHP ACL. One action multiple permissions

Question

I'm new to CakePHP but familiar with other PHP frameworks. I'm trying to figure out the 'Cake way' of implementing the following ACL setup..

I currently have ACL configured as the Simple Acl tutorial. This works great when I want to restrict a group to a specific action.

However, if I've one action, e.g. edit, and I want the edit action restricted depending on what group the user is that you're are trying to edit.

A user in the Group 'user' will be denyed access to the edit action.
A user in the Group 'moderator' will be allowed to edit if the user they are editing is in the group 'user'.
A user in the Group 'admin' will be allowed to edit if the user they are editing is in the Group 'user' or 'moderator'.

I'm having trouble getting my head around the fact that my User and Group tables are different to the aco's & aro's and how I should set up this relationship so it doesn't trip me up in the future.

I started experimenting with creating a routing index function that bounced you to different end actions; edit_user, edit_mod, edit_admin which I could then lock down with ACL but I wasn't sure if there was a better way to organised this.

Many thanks in advance,
Pete

Answer 1

you could build you permission like this :

ARO:

• User
  • Moderator
    • Admin
  • some other type of member 1
  • some other type of member 2

ACO :

• User Controller
  • Edit Action
    • Edit Users
      • Edit Moderators
        • Edit Admin
      • Edit some other type of member 1
      • Edit some other type of member 2

Then you can say :

1. Moderator has rights to Edit Users : Both moderator and admin can edit any type of member
2. Moderator has no rights to Edit Moderators : Both moderator and admin cannot edit moderator
3. Admin has rights to Edit Moderators : Admin can edit Moderators and Admin
4. and so on