@David, i was having the same trouble and almost broke my monitor as a result. I found little or no help on the internet so i’ll just tell you what i did to save you the damaged monitor / damaged first / damaged pride:

To begin with I was experiencing a lot of timeouts on my scripts. This was leaving the scripts’ work half finished and as a result i started adding the users into the database through an external .sql script. As mentioned earlier i think the ACL requires you enter the groups/users through the site so that their relevant AROs are then stored in the relevant database tables. As i was adding the users / groups through a .sql script I was returning invalid nodes through the $aroAlias aspect ($group). To set an unlimited timeout i used set_time_limit(0); at the start of the function.

I also ran my scripts again and again to begin with, which not only left me with massive aro/aco tables but also made them an absolute mess to configure. Try and make full use of the ‘cake schema run create DbACl’ command to reset your aro / aco / aros_acos tables and start again if something goes wrong. Theres probably a much easier way but i’m buggered if i know it.

Also i don’t know what console your using but i found Cygwin to be very effective at displaying the trees and nodes of the tables, making specifying nodes a lot easier.

I hope that is of some help to you, i’ll post if i remember anything else i did right.

Good luck!

@Mark – brilliant tutorial mate! My only hope is you keep them coming – We need you!

Steppio on 12/21/08

As Mark correctly noted, modifying the user’s group will NOT update ARO table.

Here’s some custom logic for your users/edit controller:

User->field(‘group_id’); if ($oldgroupid !== $this->data[‘User’][‘group_id’]) { $aro =& $this->Acl->Aro;

// Find the users ARO $user = $aro->findByForeignKeyAndModel($this->data[‘User’][‘id’], ‘User’); // Find the groups ARO $group = $aro->findByForeignKeyAndModel($this->data[‘User’][‘group_id’], ‘Group’); // Save to ARO table $aro->id = $user[‘Aro’][‘id’]; $aro->save(array(‘parent_id’ => $group[‘Aro’][‘id’])); } ?>

Aidan Lister on 12/23/08

            $oldgroupid = $this->User->field(‘group_id’);
            if ($oldgroupid !== $this->data[‘User’][‘group_id’]) {
                $aro =& $this->Acl->Aro;

// Find the users ARO $user = $aro->findByForeignKeyAndModel($this->data[‘User’][‘id’], ‘User’); // Find the groups ARO $group = $aro->findByForeignKeyAndModel($this->data[‘User’][‘group_id’], ‘Group’); // Save to ARO table $aro->id = $user[‘Aro’][‘id’]; $aro->save(array(‘parent_id’ => $group[‘Aro’][‘id’])); }

Aidan Lister on 12/23/08

As Mark correctly noted, modifying the user’s group will NOT update ARO table.

Here’s some custom logic for your users/edit controller:

function admin_edit($id)
{ if (!empty($this->data)) {

// Check if their permission group is changing $oldgroupid = $this->User->field(‘group_id’); if ($oldgroupid !== $this->data[‘User’][‘group_id’]) { $aro =& $this->Acl->Aro; // Find the users ARO $user = $aro->findByForeignKeyAndModel($this->data[‘User’][‘id’], ‘User’); // Find the groups ARO $group = $aro->findByForeignKeyAndModel($this->data[‘User’][‘group_id’], ‘Group’); // Save to ARO table $aro->id = $user[‘Aro’][‘id’]; $aro->save(array(‘parent_id’ => $group[‘Aro’][‘id’])); }

Aidan Lister on 12/23/08

great tutorial – got it setup and working within 30 minutes! I’ve applied everything over to my project and it all works. Now I’m down to my last piece: customizing the views. I’m racking my brain over this and can’t figure it out.

Let’s take your example from above. I want to edit the view for ‘Posts/View’, since by default the view has a link to add a Post. Now since I have Auth and ACL setup correctly, when a ‘user’ clicks the link it just redirects them back to ‘Posts/View’. Now to prevent confusion I don’t want that link there at all if you are in the ‘users’ group.

How can I hide all links in ‘Posts/View’ that are not accessible based on your permissions?

Amit on 12/23/08

Amit: You would have to also check the permissions for each action that you were going to display in your view and conditionally display the links based on the users permissions. I wrote an Acl Menu Component class that does some of this perhaps that will help?

mark story on 12/24/08

Hello man. I just want to tell you that your tuto is really, really good. I searched over the web for a tuto on “Auth + Acl” but I didn’t be able to well understand each of them. But yours is really easy and complete. So, thanks you for the work you make for we.
And sorry if my english is bad, but I’m french… :p


askara on 1/12/09

Very nice explanation… thank you.

Newb here, btw.

I am wondering if Cake’s ACL can handle permissions assigned by users?

For example, could a user assign rights to view/edit one of their records to another user(s)? I’d like to build out an app where users could mark a record as accessible to the public (everyone) or to specific user(s) only.

I, as admin, would not need to be involved, but would rather allow the user to manage their own access rights to their own records.

Is Cake capable of this, and if so, any pointers?

Thank you


Drew on 1/17/09

@Mark – How do you initialize the command ‘cake schema run create DbAcl’ from a console on an uploaded website? I’ve heard its something to do with a connection manager? Can you shine any light on this at all?

Steppio on 1/19/09

It’s very easy to copy the CakePHP’s docs tutorial and paste in your blog. Why don’t you create your own tutorial? The community needs this, because the Docs’ tutorials explain nothing

Alexandre de Oliveira on 1/21/09

Alexandre de Oliveira: You would do well to do your research before making accusations. It just so happens that I also wrote the book article, it didn’t get there via magic fairy dust. Furthermore, my name isn’t near the top of the top contributers list by happenstance either. I’ve written quite a bit of the documentation and a reasonable amount of the Cake core. Perhaps next time before you jump to conclusions and call me a thief figure out to whom you are talking to, and who wrote what. You will look less foolish.

mark story on 1/21/09

This is a good tutorial but I cannot get the c table to pupulate. You state “If you do a SELECT * FROM aros_acos you should see a whole pile of 1’s and 0’s. If you don’t something didn’t work.”. My tabke is empty, but I cannot see where I went wrong. I downloaded your source files in the end and am using that and I still dont get the aros_acos table to populate, so none of my permissions are working. Any tips on where a user could have gone wrong?

Affinity on 2/2/09

oops a type on last post on first sentence, it should say “… I cannot get the aros_acos table to pupulate”

Affinity on 2/2/09

Hi, I think I discovered what to do, which I think should be made more clear, as these are stubmling blocks for newbies…

You must run the functions buildAcl and InitDB by going to them in the URL-

I get an error when running initDB but the login and permissions now work

I think these little things need to put into the tutorials

Affinity on 2/2/09

Affinity: I added the missing sentance instructing the user to run the functions. :)

mark story on 2/3/09

Per John’s post about:

cake acl grant $aroAlias $acoAlias all

not working. Im having the same problem. John said he found out was he’s doing wrong but the solution is not listed.

Ive tried:

cake acl grant $users $controllers all

and other various versions but I just keep getting errors.

Your help would be greatly appreciated.

Thanks Mark!

justclint on 2/19/09

Ok I got it now. In case anyone runs into this here’s what I did.

cake acl grant Group.1 controllers ‘*’ cake acl grant Group.2 controllers ‘*’ cake acl grant Group.3 controllers ‘*’

Group.# = the aro (model.id)

For some reason in the table my Aro aliases show up as null so thats why doing the following wont work:

cake acl grant administrators controllers ‘*’

realm3.com pointed out that if your getting this error:

DB_ACL::allow() – Invalid node in …/

it means that either the ‘aroAlias’(administrator in our case) was not found or the ‘acoAlias’ (controllers in our case) wasn’t found.

In my case it was the Aro (‘administrators’) that was not found.

I guess my question now is how do you set the alias for the aros. Did I skip this step somewhere? Do I just directly edit my database?

Anyhow, this tutorial has been a great help for finally getting an ACL up and running.

Thanks Mark!

justclint on 2/20/09

justclint: $aroAlias and $acoAlias are just place holder variables for your real values. So you need to substitute them with the values in the tables.

mark story on 2/20/09

hi, i am totaly confused and wondered if anyone can help…please.

i have followed the tutorial and just dont understand the cake acl grant $aroAlias $acoAlias [create|read|update|delete|’*’] part, what do i have to replace with the Alias part to get this to work, please help this is driving me mad.
thanks in advance

matt on 3/8/09

matt: As I stated above $aroAlias, and $acoAlias are variables, you replace them with the aliases you actually want to use. [create|read|update|delete|*] refers to the different permission you wish to grant. So for example

cake acl grant billybob /controllers/posts/edit *

would grant all privileges to ‘billybob’ for the ‘/controllers/posts/edit’ node.

mark story on 3/9/09