Mark, thanks very much for this. Extremely helpful!
I have all the parts working, but having a final snag. Trying to setup some custom redirects based on a users group_id and totally perplexed why this wouldn’t work in the beforeFilter in AppController:

$user = $this->Auth->user();
$group = $user[‘User’][‘group_id’];
if($group == 1) { echo “admin”; $this->Auth->loginRedirect = array(‘controller’ => ‘posts’, ‘action’ => ‘index’);
} else { echo “not admin”; $this->Auth->loginRedirect = array(‘controller’ => ‘widgets’, ‘action’ => ‘index’);

Cake echoes “admin” if a user with a group_id of 1 logs in, but yet the widgets version of the redirect ends up getting used.
There is probably a more elegant way to make the above happen, but just trying to keep it simple and mostly retain some understanding of how Auth is working behind the scenes.

Thanks again!

erik on 3/17/09

Hello Mark!
Your tutorials are good. And many thanks for writing CakePHP docs.

I have 1 problem, is it true that after following this tutorial you need to delete all users (AROs) and repopulate the ARO table?

I ask this because it happened that any users created before implementing acl somehow didn’t get the permissions even though the ARO table was properly filled and aros_acos table appeared good too.

In fact Acl->check was showing allowed.

Basically I was trying to allow members to access their profile like,

but it was auto redirecting to the home page.

Then I added another user,

and it worked! I’m clueless.

PS. there is no preview button in this comment field, comes handy sometimes!

Mk on 3/17/09

erik: Check your session, sometimes a redirect gets stored there as well.

Mk: If users were created before the AclBehavior was attached, they will not have ARO’s and will not work with the Acl component, as their node is missing. New users will work though. Perhaps building a shell/function to add aros to all the users that don’t have them would work.

mark story on 3/19/09


Thanks for an excellent acl tutorial.

I have a question. Is it possible for a user to belong to 2 or more groups and inherit permissions from each of the groups.

I’d really appreciate your response.


Sola Ajayi on 5/12/09

Sola Ajayi: Of course its possible, but its not covered in the tutorial.

mark story on 5/14/09

Great tutorial! It really saved my life. I had to dig deep into the api to fully understand auth, acl & trees. But all the long hours were totally worth it. Your tutorial nicely pulled all the pieces together. Everything makes sense now! (_) And I got it to work perfectly.

Thanks again, Mark.

p.s. Your DebugKit is pretty sweet too.

Phu Huynh on 6/29/09

Hi everyone!
I’d like to know:
if i have two tables (users and group) how do i do to add a few users in some group?

Thanks in advanced

Wander on 7/8/09


I’m redoing my site with cakephp and your articles were what I needed to understand ACLs. Thanks so much for your work, and I look forward to reading every article you write. Very helpful info here.

MIchael W on 7/10/09


1. thanks for the tutorial. i am a cake newbie. finally, i am beginning to understand (somehow) Acl, Auth.

2. however, i am having difficulty understanding these instructions :

… Take out the references to Auth->allowedActions in your users and groups controllers. Then add the following to your posts and widgets controllers:

function beforeFilter() { parent::beforeFilter(); $this->Auth->allowedActions = array(‘index’, ‘view’); }

This removes the ‘off switch’ on the users and groups controllers, and gives public access on the index and view actions in posts and widgets controllers…

i am not clear how to take out references or turn the switch off.

3. i also can’t figure out how i can right justify these messages :
You are not authorized to that location

this is to make my login forms distinct from the regular form entries. i am just using cake’s default layouts.

any help will be most appreciated.

maraming salamat po (many thanks, sir … in Filipino)

ige on 7/11/09

Hey Mark,

I went ahead and took you up on your offer and added the delete functionality to your buildAcl action. It can be picked up from here:

Robert Navarro on 8/6/09

Great write up. This is the most clear Acl tutorial i’ve come across, thanks.

A suggestion:

About the Acl setup routine, you say:
‘You can add and run this in your AppController or any controller for that matter’

Later, about the same routine you write:
‘Be sure to run the function, in a browser by visiting /users/buildAcl’

So it’d be good to suggest adding it to the users controller earlier.

bitbutter on 8/13/09

Thx, everything works

billy on 8/29/09

Mark, great tutorial, had been searching for something like this for ages, i think the approach “from scratch” is what most Cake beginners like myself need to get the idea behind acos – aros.
The only point i did not fully get is the parentNode method in User (and Group), probably due to my lack of experience in Cake. If you are going to write more on Acl in the future you might spend a few extra words on that …
Thanks a lot

dani on 11/12/09

hi, tkx for the tutorial,when i write the command cake ‘acl grant $aroAlias $acoAlias’ cake shell tell there is an error the message is like this :

Error:wrong number of paramaters: 2
please type ‘cake help…..’

and with the equivalant cake does not know the variables $acoAlias and $aroAlias how to fix that iam blocked.

cherif_dz on 12/21/09

I noticed that you didn’t cover how to register a user or add that functionality. what would it take?

Richard on 3/11/10

Hi Mark,

Thanks for the well written tutorial.

I was eager to try it out until I noticed that it doesn’t deal with admin routing.

I’ve built my entire application to work with admin routing as I have an admin area and a client area which I want to control access to.

It seems the ACL is the only way to do this but will your tutorial work with admin_routing or is there some simple / subtle mods to make so that it will work with my app?

Thanks for your help, really appreciate it.


Michael on 3/19/10

Richard: You’re right didn’t cover registration or login, but there are many other tutorials that do. So combining the two together should get you where you want to go. :)

mark story on 3/20/10

This doesn’t work,I cannot log in.
I’m not sure if I baked the models,views & controllers correctly.Post,User,Group,Widget – this is the order that I baked them.
For every model and controller I baked,I got this message:
“SimpleTest is not installed.Do you want to bake unit test files anyway?(y/n)” and I typed n(NO).
Do you have any suggestions?
Thank you.

Vlad on 4/17/10

Thanks Mark. I first looked at this about three years ago, gave up and wrote my own system. Now, for the project I’m working on, I wanted to use the Cake ACL. Your tutorial has made it very easy.

Did you ever write anything on access control per record?

Leo on 4/19/10

Re. access control per record:
I’m almost through writing this now. When I’m done I’ll write it up as a mini-tutorial and post a link here.

Leo on 4/19/10