A Summary of California's Maternity Leave

It is much more difficult than it should be to determine what one’s maternity leave rights are for a California woman.

There is a very helpful discussion on Berkeley Parent’s Network regarding maternity benefits.

Everyone seems to be looking for a quick summary graphic that they can take to their employer. So, I have made such a graphic. I would have loved to make this even simpler, but I’m afraid this graphic might be as simple as it can get.

Download a printable chart summarizing California’s Maternity Leave

Hope this helps out!

May 7, 08:33 PM Comment

CakePHP ACL Tutorial: Introduction

The ACL (Access Control Layer) Component works in conjunction with a user login system to allow or deny a user access to pages of a website.

Cake’s ACL Component provides the following key pieces of functionality:

• data management – functions are provided which help the developer add, remove and modify elements that are in the ACL data tables;
• permission checking – the component provides functions which can be used to determine if a particular user has access to a particular page of a website;
• command line manager – a command line based manager is provided which allows an admin to maintain data in an ACL system;

Before continuing, make sure you understand the following key terms:

• Access Request Object (ARO) This is the element trying to gain access to a protected element in the system. This most often corresponds to users and groups. The list of AROs is stored in the ‘aros’ table.
• Access Control Object (ACO) This is the element that is being protected from access. These most often represent controllers and pages of a website. The list of ACOs is stored in the ‘acos’ table.
• CRUD This is an acronym for “create”, “read”, “update” and “delete”, which are four actions controlled by the system. Permission settings are stored in the ‘aros_acos’ table which has a column to store a ARO’s id, an ACO’s id, and a value for each one of four columns linked to ‘create’, ‘read’, ‘update’, and ‘delete’ actions.

Table of Contents

Below are all the tutorials I have produced about this component. These examples all work as of April 15, 2008 with the latest nightly build of CakePHP.

CakePHP ACL Tutorial: Initial Setup

CakePHP ACL Tutorial: How To Check Access

CakePHP ACL Tutorial: Auth Component Example

CakePHP ACL Tutorial: Using With the Authentication Component

CakePHP ACL Tutorial: The Database Tables

Other ACL Tutorials

Here are some other good tutorials on the ACL and Auth components. Some of the examples are a bit out of date in these, but they give a good introduction to how to use the components:

Setting Up User Groups With ACL And Auth In CakePHP 1.2

AuthComponent and ACL for Dummies

Using AuthComponent and ACL in CakePHP 1.2

Using AclBehavior in CakePHP 1.2

ACL with Groups

Apr 15, 09:37 AM Comment

CakePHP ACL Tutorial: Usage With Auth Component

This is part of a series of tutorials on the ACL Component. View full index of ACL Tutorial Articles

The ACL Component is designed with a lot of flexibility in how it can be used, so it can be used with many different user management systems.

The way in which the ACL is configured will most likely be directed by whatever user management system you have in place. Two different websites could both use the ACL Component, but have different looking ACL database tables, because of differences in user management systems used.

The Authentication Component in particular requires one of two somwhat incompatible configurations of the data within the ACL Component. Each configuration also has some consequences on how the ACL Component’s functions are called. Therefore, it is important to figure out what direction you want to go before setting up your ACL Component, because change at a later stage will require a fair amount of reworking of your site’s programming logic.

actions mode

If Authentication is set to work under ‘actions’ mode, then the ACL’s ACO hierarchy will be required to have a tree structure like this one:

Site
--Articles
----edit    // controls access to /articles/edit
----delete  // controls access to /articles/delete
----index   // etc...
----view
--Comments
----edit
----delete
----index
----view

In addition, in the aros_acos table, for each row that corresponds to a particular permission, ALL FOUR of the action columns (_create, _read, _update, _delete) needs to be set to 1, in order for permission to be granted. If any one is set to ‘0’ or ‘-1’ no permission will be granted to the entire node.

To set this up, the following syntax must be used any time the ACL Component’s allow() command is used:

Acl->allow('bettycrocker', 'Articles/index', * );

Here, the ‘*’ sends the message that ALL four action columns in the aros_acos table should be set to a value of ‘1’.

In actions mode, the key point to remember is that each action needs to correspond to an ACO node whose alias is the same name as the action. And, this node needs to belong to a parent node whose name corresponds to the CamelCased name of the controller.

Also, note that this means that MANY of your ACO nodes will have identical ‘alias’ values. You are going to have many nodes with the alias ‘edit’, who can only be differentiated by looking at their parent_id values.

crud mode

If Authentication is set to work under ‘crud’ mode, then the ACL’s ACO hierarchy will need to have the following tree structure:

Site
--Articles 
--Comments

In this mode, the full functionality of the aros_acos table will be utilized, so that access will be granted to an action only if the column for that action is set to a value of ‘1’.

To set this up, the following syntax must be used any time the ACL Component’s allow() command is used:

Acl->allow('bettycrocker', 'Articles', 'read' );

Here ‘read’ is used. In this case, the command would grant permission to:

http://www.website.com/articles/index
// AND 
http://www.website.com/articles/view

Under ‘crud’ mode, both ‘index’ and ‘view’ are considered a ‘read’ action, so access to both pages is granted with a single grant to the ‘read’ action.

The primary difference from actions mode will be a dramatically reduced number of ACO nodes, most of which are going to have uniquely named aliases.

Synchronizing Users and Aros

The Authentication Component typically maintains a user table to store usernames and passwords. It is necessary to maintain a synchronization between the system’s user tables and the ACL’s aros table.

The ACL Behavior is a very useful tool to help maintain this synchronization.

Whether you use the built-in behavior or not, you must make sure that the following synchronization is maintained:

• when users are added to a user table, corresponding rows are added to the aros table;
• when groups are added to a group table, corresponding rows are added to the aros table;
• any hierarchy set up within the user or group tables must be transferred to the tree represented by the aros table;
• as users or groups are deleted, the corresponding rows in the aros table are removed along with any linked rows in the aros_acos table;
• if a user’s parent group is modified, then the ‘parent_id’ AND ‘lft’ and ‘rght’ values in the aros table linked to the user also need to be modified to ensure proper permission inheritances are maintained.

Apr 15, 09:05 AM Comment [1]

CakePHP ACL Tutorial: Initial Setup

This is part of a series of tutorials on the ACL Component. View full index of ACL Tutorial Articles

To begin using the ACL Component, you must first create the database tables required by the component.

Using the Cake Console, you can run the following command to generate the required tables.

cake schema run create DbAcl

This replaces the older deprecated command, ‘initdb’.

If you are unable to run the console command, you can use the DbAcl Schema File as a guide to help you manually create your own database tables.

Once the database is configured, you will need to create some ACO and ARO rows in order to start using it.

Again, the Cake Console can be used to create elements in your ACL system. The following command within the cake console will help provide some insight into how to use this feature:

cake acl help

There is a lot of flexibility with how you create and name your own ACL elements, so it is important to consider your own needs when planning this out. However, the following series of commands might represent a common set of commands to run when initializing an ACL setup.

cake acl create aro ROOT guests
cake acl create aro guests users
cake acl create aro users admins
cake acl create aro users betty

cake acl create aco ROOT site
cake acl create aco site Articles
cake acl create aco site Recipes
cake acl create aco site Lists

cake acl grant admins site *
cake acl grant users Articles read
cake acl grant users Recipes read
cake acl grant betty Recipes update

You should now be able to run the following commands with the displayed results:

cake acl check betty Recipes read
--> betty is allowed

cake acl check betty Recipes delete
--> betty is not allowed

cake acl check admins Lists create
--> admins is allowed

If this is all working so far, you might want to dig into your database and take a look at the database tables for a better understanding of what a functioning ACL system looks like.

More information about the ACL Component’s database tables.

Apr 15, 08:12 AM Comment

CakePHP ACL Tutorial: Auth Component Example

This is part of a series of tutorials on the ACL Component. View full index of ACL Tutorial Articles

The following example should provide a quick overview of how the ACL Component is used to restrict site access, if it is used in conjunction with the built-in Authentication Component.

1. Betty Crocker attempts to visit the url:

http://www.cakephp.org/recipes/edit

2. Parsing the URL

When the request is made, the Authentication Component determines that the requested URL corresponds to the controller named Recipes and the action named edit which corresponds to the action type of update.

3. Is Page Restricted?

The Authentication Component determines that access to this combination of controller and action is restricted, so checks to see if the user has been logged in.

4. Display Login Form

Since the user has not been logged in, the Authentication Component redirects the user to a login form which requests a username and password.

5. Match Username

After submitting the form with a username and password that match an entry in the user database, the Authentication Component determines that the user’s name is bettycrocker.

6. Ask ACL For Access

The Authentication Component asks the ACL Component if the user named bettycrocker is allowed to update models governed by the Recipes controller.

7. ACL Determines Access

The ACL Component then examines it’s data tables and discovers that the user bettycrocker has no explicitly set permissions for any pages of the site. It determines, however, that she is a member of the chefs group, and that any user in the group chefs has the ability to update Recipes, so the ACL Component responds that,

since bettycrocker is a chef, she has the inherited permission to update recipes.

8. Auth Delivers Page

Upon learning about this right of access, the Authentication Component directs the user to the requested page. Had permission not been granted, any one of a number of alternate pages would be displayed depending on how the Authentication Component

Key Point: ACL Must Be Used With A User Login System

What the example should make clear is that in this type of usage, the ACL Component’s job is to check to see if a submitted user
has particular permissions, inherited or explicitly set, for a submitted page.

Therefore, the ACL Component must be used in conjunction with a component that does the following:

• stores usernames and passwords;
• collects a username and password from a login form;
• matches the username and password to the stored values;
• upon a successful match, submits this username to the ACL component along with information about the page being requested;
• either displays the requested page or redirects the user to another page depending on whether the ACL component provides access to the requested page;

The built-in Authentication Component is a natural choice to use for the needed user login system.

Next Tutorial: Usage With Auth Component

Apr 14, 06:30 PM Comment