CakePHP AclComponent – ACOs, AROs and Mapping

Continuing with Access Control Lists, we will read about the two Access Control Lists and their mapping. The Access Request Objects (AROs) are a list of the things that seek permissions and the Access Control Objects (ACOs) are the resources on which permissions are required. Both the lists are maintained in the tow tables, namely aros and acos respectively. The third table is a mapping table and it also has a pre-defined name, aros_acos. This table stores the CRUD (create, Read, Update, Delete) permissions that an ARO holds on an ACO.

Start Using Cake ACL – Step 1

The first step involves setting up the database tables for the AclComponent. The standard SQL for the three tables is

 CREATE TABLE acos (

id INTEGER(10) UNSIGNED NOT NULL AUTO_INCREMENT,

parent_id INTEGER(10) DEFAULT NULL,

model VARCHAR(255) DEFAULT '',

foreign_key INTEGER(10) UNSIGNED DEFAULT NULL,

alias VARCHAR(255) DEFAULT '',

lft INTEGER(10) DEFAULT NULL,

rght INTEGER(10) DEFAULT NULL,

PRIMARY KEY  (id)

);

CREATE TABLE aros (

id INTEGER(10) UNSIGNED NOT NULL AUTO_INCREMENT,

parent_id INTEGER(10) DEFAULT NULL,

model VARCHAR(255) DEFAULT '',

foreign_key INTEGER(10) UNSIGNED DEFAULT NULL,

alias VARCHAR(255) DEFAULT '',

lft INTEGER(10) DEFAULT NULL,

rght INTEGER(10) DEFAULT NULL,

PRIMARY KEY  (id)

);

CREATE TABLE aros_acos (

id INTEGER(10) UNSIGNED NOT NULL AUTO_INCREMENT,

aro_id INTEGER(10) UNSIGNED NOT NULL,

aco_id INTEGER(10) UNSIGNED NOT NULL,

_create CHAR(2) NOT NULL DEFAULT 0,

_read CHAR(2) NOT NULL DEFAULT 0,

_update CHAR(2) NOT NULL DEFAULT 0,

_delete CHAR(2) NOT NULL DEFAULT 0,

PRIMARY KEY(id)

);

Structure of ACL Tables

The structure of ACO and ARO tables is identical. The id is obviously the primary key for each of the two tables. The parent_id column is required for creating hierarchical structure.

The model is the name of the model to which the record (ACO or ARO) belongs. The foreign_key is the ID of the ACO/ARO in its own table. For example, if an ARO record says model User and foreign_key 5. It means that ARO is referring to the record id 5 of the User object.

The alias is the readable label for the corresponding ACO/ARO node.

The lft and rght columns are an implementation of the Modified Pre-Order Traversal Tree. The left and right values define the range for the proper Tree structure. The child and grand-child nodes fall between the lft and rght range of a parent node.

Start Using Acl – Step 2

Now that we have setup the required tables and understood the purpose of the columns, we are ready to start using the AclComponent. We will start by adding the AclComponent to the controller. According to CakePHP 2.x conventions,  the following syntax will load the AclComponent:

public $components = array( 'Acl');

The component can be loaded on the fly as well. The two syntax for the prior and post CakePHP 2.x are

// For CakePHP < 2.0

App::import('Component', 'Acl');

// For CakePHP > 2.0

App::uses('AclComponent', 'Controller/Component');

Setting Alias in Acl

The alias is an important field that is used for setting and checking the access permissions. There is no fixed standard for setting the alias values. But, there has to be some kind of pattern to auto-generate easily identifiable records. The general syntax for generating an alias name is <Model Name>::<Foreign Key>. Since, the column is designed to store any custom value; probably this is the reason why the AclBehavior doesn’t auto-populate this column. The AclBehavior of CakePHP library populates other columns but no values are set of the alias column. The ACOs and AROs are added transparently while adding a record for the Model object.