Creating permissions much like creating ACO's has no magic solution, nor will I be providing one. To allow ARO's access to ACO's from the shell interface use:

cake acl grant $aroAlias $acoAlias [create|read|update|delete|'*']

* needs to be quoted ('*')

To allow with the AclComponent do the following:

$this->Acl->allow($aroAlias, $acoAlias);

1. $this->Acl->allow($aroAlias, $acoAlias);

We are going to add in a few allow/deny statements now. Add the following to a temporary function in your UsersController and visit the address in your browser to run them. If you do a SELECT * FROM aros_acos you should see a whole pile of 1's and 0's. Once you've confirmed your permissions are set remove the function.

function initDB() {
    $group =& $this->User->Group;
    //Allow admins to everything
    $group->id = 1;     
    $this->Acl->allow($group, 'controllers');
 
    //allow managers to posts and widgets
    $group->id = 2;
    $this->Acl->deny($group, 'controllers');
    $this->Acl->allow($group, 'controllers/Posts');
    $this->Acl->allow($group, 'controllers/Widgets');
 
    //allow users to only add and edit on posts and widgets
    $group->id = 3;
    $this->Acl->deny($group, 'controllers');        
    $this->Acl->allow($group, 'controllers/Posts/add');
    $this->Acl->allow($group, 'controllers/Posts/edit');        
    $this->Acl->allow($group, 'controllers/Widgets/add');
    $this->Acl->allow($group, 'controllers/Widgets/edit');
}

1. function initDB() {
2. $group =& $this->User->Group;
3. //Allow admins to everything
4. $group->id = 1;
5. $this->Acl->allow($group, 'controllers');
7. //allow managers to posts and widgets
8. $group->id = 2;
9. $this->Acl->deny($group, 'controllers');
10. $this->Acl->allow($group, 'controllers/Posts');
11. $this->Acl->allow($group, 'controllers/Widgets');
13. //allow users to only add and edit on posts and widgets
14. $group->id = 3;
15. $this->Acl->deny($group, 'controllers');
16. $this->Acl->allow($group, 'controllers/Posts/add');
17. $this->Acl->allow($group, 'controllers/Posts/edit');
18. $this->Acl->allow($group, 'controllers/Widgets/add');
19. $this->Acl->allow($group, 'controllers/Widgets/edit');
20. }

We now have set up some basic access rules. We've allowed administrators to everything. Managers can access everything in posts and widgets. While users can only access add and edit in posts & widgets.

We had to get a reference of a Group model and modify its id to be able to specify the ARO we wanted, this is due to how AclBehavior works. AclBehavior does not set the alias field in the aros table so we must use an object reference or an array to reference the ARO we want.

You may have noticed that I deliberately left out index and view from my Acl permissions. We are going to make view and index public actions in PostsController and WidgetsController. This allows non-authorized users to view these pages, making them public pages. However, at any time you can remove these actions from AuthComponent::allowedActions and the permissions for view and edit will revert to those in the Acl.

Now we want to take out the references to Auth->allowedActions in your users and groups controllers. Then add the following to your posts and widgets controllers:

function beforeFilter() {
    parent::beforeFilter(); 
    $this->Auth->allowedActions = array('index', 'view');
}

1. function beforeFilter() {
2. parent::beforeFilter();
3. $this->Auth->allowedActions = array('index', 'view');
4. }

This removes the 'off switches' we put in earlier on the users and groups controllers, and gives public access on the index and view actions in posts and widgets controllers. In AppController::beforeFilter() add the following:

 $this->Auth->allowedActions = array('display');

1. $this->Auth->allowedActions = array('display');

This makes the 'display' action public. This will keep our PagesController::display() public. This is important as often the default routing has this action as the home page for you application.