CakePHP: authorizing actions based on belongsTo relationships

Question

Let's keep it simple.

A project has just two models:

1. User (hasMany Project)
2. Project (belongsTo User)

Users are only allowed to perform actions on the projects which they own. No one else's.

I know how to manually check who the logged in user is and whether or not he/she owns a specific project, but is there a better, more global way to do this? I'm looking for a more D.R.Y. way that doesn't require repeating the same validation inside multiple actions. For example, is there a config setting like maybe...

Configure::write('Enforce_belongs_to', true);

...or maybe a setting/option on the Auth component.

Maybe this is crazy, but I figured I'd ask.

Answer 1

I'm not sure if what I'm answering is the best-utermost-dry-it's-almost-dehydrating approach, but is the simplest thing I could think of.

In the Project model, create a function that return an array of project ids associated to an user.

class Project extends AppModel {
    public function getByUserId($userId) {
        $projectsArray = array();

        if ($userId != "valid")
           //do all the checks, if it's not null, numeric, if the id exists, etc

        $projects = $this->Project->find('all', array('conditions'=>
                        array('user_id'=>$userId)));
        if (!empty($projects)) {
            foreach($projects as $i => $project)
                $projectsArray[] = $project['Project']['id'];
        }
        return $projectsArray;
    }
}

You mention a find('first') in your comment, but I'm assuming you want all the projects related to the user instead of just the first. If not, it's a simple modification of that function. Also, I'm just getting the ids, but you may want an $id=>$name_project array, up to you.

Now, I don't know what you mean by "only allowed to perform actions", is it just edits that are restricted? Or lists or views should be restricted and not even shown to the user if the project is not his/hers?

For the first case, restrict editing, modify beforeSave.

public function beforeSave($options = array()) {
    if(!$this->id && !isset($this->data[$this->alias][$this->primaryKey])) {
        //INSERT
        //not doing anything
    } else {
        //UPDATE
        //check if project inside allowed projects array
        $allowed = $this->getByUserId(CakeSession::read("Auth.User.id"));
        if (!in_array($this->id, $allowed))
           return false; //or throw error and catch it in the controller
    }
     return true;
}

The code is untested, but in general terms, you prevent the edit of a project that is not "the user's" just before the update of the record. I assume the insert of new projects is free for everyone. According to this post, all saving functions except saveAll pass through this filter first, so you will need to overwrite the saveAll function and add a validation similar to the one in beforeSave (as explained in the answer there).

And for the second part, filtering results so the user isn't even aware that there are other projects instead of his/hers, change beforeFind. The docs talk about restricting results based on user's roles, so I guess we're on the right track.

public function beforeFind($queryData) {
    //force the condition
    $allowed = $this->getByUserId(CakeSession::read("Auth.User.id"));
    $queryData['conditions'][$this->alias.'.user_id'] = $allowed;

    return $queryData;
}

Since the $allowed array has just id values, it'll work like an IN clause, but if you change that array structure, be sure to modify these functions accordingly.

And that's it. I'm thinking about the more basic cases here, edit, view, delete... Ups, delete... change the beforeDelete function also, to avoid any evil users who want to delete others property. The logic remains the same (check if project id is in allowed array, if not, return false or throw error), so I won't add the example of that function here. But that's the basic stuff. If for some reason you want to have the allowed projects in the controller, call the getByUserId function in beforeFilter and handle that ids array there. You can even store it in session, but you'll have to have in mind maintaining that session when adding or deleting projects.

If you want a superadmin that can see and edit everything, just add a condition in getByUserId that checks the role of the user, and if it is an admin, return all projects.

Also, keep in mind: maybe Project has many... subprojects (not much imagination), and so, the user related to the project can add subprojects, but the same evil user as before modifies the hidden project_id that subproject has and edits it. In that case, I recommend you also add a validation in Subproject to avoid actions on models related to Project that are not his. If you have the Security component in place and the edit and delete actions can just be reached by forms, this is a minor thing because Security Component well used avoids form tampering. But give it a thought to see if you need to validate "Subproject" instances also.

As Ayo Akinyemi mentioned, you can use all this as a behavior. I haven't personally done so, but it meets the requirements, all the callbacks modified here are what you modify in a behaviour. You'll have to encapsulate the logic, column names (need to be variable an not set hardcoded, like user_id), etc, but it will be reusable in any other cake project you'll have. Something like StrongBelongBehavior or MoreDRYBehavior. And share it if you do it :)

I'm not sure if Auth component has some way of doing what you want, but that would be the best option I guess. Until some enlightens me (I haven't investigate much this issue), this is the solution I'd use.

Answer 2

Adding to Nunser's answer, here would be a general concept of how the behavior would be. You can then attach it to the applicable model.

    class StrongBelongBehavior extends ModelBehavior
    {
       public function beforeFind(  Model $Model, $query = array() ) { 
         $query['conditions'] = array_merge( (array)$query['conditions'], array( $Model->alias.'.user_id' => CakeSession::read("Auth.User.id" ) );
         return $query;
       }

       public function beforeSave( Model $Model ) {
        $projectId = Hash::get( $Model->data, 'Poject.id' );
        if( $projectId ) {
           $Model->loadModel('UserProject'); // UserProject is a custom model
           $canEdit =  $Model->UserProject->projectIDExists( $projectId ); // returns true if projectId belongs to the current user
           if ( ! $canEdit  ) {
             return false;
           }
        }
       return true;
       }
     }