As the country starts in the festivities to lay to rest this past year, many people come up with lists, a la "10 Best Somethings of 2008". Sometimes the lists even expand to 25. And if you are VH1 and MTV, with little to no viewership and the most horrible…
Just a quick post, as this is now December and I have not posted for almost a month. But this is another simple, and easy, and sometimes forgotten idea among the web programming world. Never pass up the opportunity to learn something new. I know this sounds really easy, and…
With checking ACL’s, the code I use is as follows:
$info = $this->Member->read(null, $id);
// Check for permissions to edit this account
if ( !$this->Acl->check(array('model' => 'Member', 'foreign_key' => $this->Auth->user('member_id')), $info['Member']['username'], 'update') ) {
$this->Session->setFlash(__('You are not allowed to edit this user. -- ' . $this->Auth->user('member_id'), true));
$this->redirect(array('action'=>'index'));
}
While this works and is not that bad of an idea at all, there is a way to centralize this check and put it in the main app_controller.php file.
(more…)
After doing a few posts on Access Control Lists (ACLs), the need to look further into the implementation of ACLs in a CakePHP project could be helpful. If there are questions on setting up the ACL tri-table in the database, you can review the previous postings, or check out the CakePHP documentation. But now that you have the ACL tables set up, how does it actually work?
First, the ACL happens after authentication. So whether or not you are using the Auth component, you will still need to authenticate the user some how, some way. Then once the user is authenticated and logged in, that user will have permissions to do different thing. Let’s say one of those things is to edit accounts. If it is a regular user, he should be able to edit his own and no one else. If the user was a “site admin” he should be able to edit his own and any account that is not a “super-admin”. If he is a super admin then he should edit everyone’s account. However, the first part of this is setting up the initial ACL permissions.
In some applications on the web, you are required to log in to view content, post content, or any other sort of thing. With this, there will be times when a member of the site/application/whatever will forget the password they used, and it will have to be reset for them. So there are different methods of doing this, and different ideas behind what should make this work. I am going to give you one that I use, which will use a close to random method for resetting the passwords.
Another quick post. This has some info on the “intrawebs” but there is also bad data out there. Say you have a form, that has some info on it that requires a good amount of data to be input by the end user. If the user leaves the form to go to another page, or closes the window, all of that will be lost. So there is a couple ways you can combat that.
1. You could make everyone create an account to save any data on a smaller scale and come back later and submit the form
or
2. You can create an alert message when the user no longer wants your page to show.
There are different reasons to do one or the other. If you had a long form for something like a scholarship or a detailed personal profile, that would be the case for the account to save the data in smaller chunks. However, lets say you have a form with many fields that requires some data input and alot of options to parse through. That would be a case for an alert message. But since HTTP is stateless, how would one accomplish this?
It is finally October and I have not posted one thing yet. I was in California last week though. However that should not be an excuse for the lack of posting I have made. I really wanted to be able to post at least once a week, trying for twice a week. However, that has not happened.
So a quick post about security in a site. I will not claim that I know everything about security, but I have always been about the common sense stuff of a site. Some of the things to keep in mind:
In preparation for the Zend Certification Exam (ZCE), Zend provides a great (sarcasm) online practice test that consists of 8 questions. That is right, 8 questions. A certification exam that consists of 70 questions and Zend offers 8 questions. And the other thing with the practice test, is that if you get 5 out of 8 correct, then you are “ready” to take the exam. Which I would not suggest, unless of course you have at least 1 year of real PHP experience coding, testing, even hacking. Plus, there is a good amount of DB stuff on the test, as well as security, streams, XML/Web Services and other stuff. I also suggest you pay (that is right, pay) for a set of practice exams. But I digress. Back to the Zend practice test. They give you 8 questions, then just tell you how many you got right/wrong. There is no feedback (like a real exam) on the practice test, which I think there ought to be. So I decided I would not only give you the answer, but why it is the answer. Following is the exam questions and the answers and why they are the answers.
(more…)
I did not post on Monday, which I really wanted to do. I am studying for the Zend Certification, but may have to put it off based on work load, and family obligations. Do I think I can just take the exam and pass it? Well, I am not that…
Another quick post this week, as I am bogged down in work and preparing for a Zend Certification Exam. I am going to be taking the exam for Zend Certified Engineer (ZCE). While I do not expect it to be much problem, these types of exams are usually worded in…