How to add security to the Controller



Everytime there is an ID as an argument
That id needs to be run through a function to ensure that ID is from the same group as we are currently logged into

# 1 > Step 1: If the Table has group_id - Call the security function declared in Appcontroller

In the controller where you like to add the security, add the following code

//security

$this->ensureCorrectGroup($model_name, $this->groupId(), $id);


# 2 > Appcontroller function

->When ensureCorrectGroup() function is called,

->If same group_id, it will return true.
->If group_id does not match, it will return false and  sent to the previous page.

function ensureCorrectGroup($model, $group_id, $id)
{

$testObj = ClassRegistry::init($model, 'Model');

$found = $testObj->find('first', array(
//'contain' => array(),
'conditions' => array($model . '.id' => $id)
));


if ($found[$model]['group_id'] == $group_id) {

return true;
}


//some old transactions don't have groups, so we will let this pass
if ($found[$model]['group_id'] == 0) {
$this->Session->setFlash('No group assigned: save to add a group');
return true;
}

$this->Session->setFlash('Wrong group');
// die ('redirect now');
$this->redirect($this->referer());


}

# 3 > Step 2: If table does NOT have group_id

If Table does NOT have group_id,
->Create custom function visible only in that controller
->Get the Id
->Get the Corresponding Table which has group_id
->Check the group_id with that table

In Controller, add the following code:

// securtiy
if(!($this->ProjectHour->ensureCorrectGroupProjectTask($this->groupId(), $id))){

$this->Session->setFlash('Wrong group');
$this->redirect($this->referer());
exit;
}

In the Model Add the Following:

function ensureCorrectGroupProjectTask($group_id, $id) {

$found = $this->find('first', array(
//'contain' => array(),
'conditions' => array('ProjectHour.id' => $id)
));

if ($found['ProjectTask']['group_id'] == $group_id) {

return true;
}

//some old transactions don't have groups, so we will let this pass
if ($found['ProjectTask']['group_id'] == 0) {
//$this->Session->setFlash('No group assigned: save to add a group');
return true;
}

return false;
}

Other Instructions

Below are many other instructions that show you how to use your UpdateCase application