stackoom
  简体   繁体   中英

Cakephp: AuthComponent Evaluation Order and how to redirect to an action

 原文  2018-09-14 16:15:34       cakephp/ cakephp-3.x/ cakephp-3.6

Question

good day everyone, regarding auth component I am doing some tests to understand better the tool, in a probe of concept i want that an authenticated admin user be authorized to access any action, but if the authorized user has the "supervisor" role only be able to the actions index, view and edit in the "RequestsController.php", I am trying this approach: 1) allow everything for admin role and deny everything for anyone else in AppController.php. 2) Allow explicitly "supervisor" in "RequestsController.php" and deny any other role.

The doubt is that after some tests what happens is that if I authorize the admin user just in AppController.php the redirects only allows me to go to /webroot/, but If I allow the admin role in RequestsController.php. I can see requests without problem

IsAuthorize method in AppController 

    public function isAuthorized($user)
    {
        //privileges 1 means admin
        if ($user['privileges']==1){
            debug($user);
            return true;
        } else {
            debug($user);
            return false;
        }
    }

IsAuthorize method in Requests Controller 

    public function isAuthorized($user)
    {
        //privileges 9 means supervisor
        if ($user['privileges']==9){
            debug($user);
            $action = $this->request->getParam('action');
            if (in_array($action, ['index', 'view', 'edit'])) {
                debug($user);
                return true;
            }
            return false;
        } else {
            debug($user);
            return false;
        }

    }

As I am not clear in the order that the isAuthorized function is handled, or why the redirect to the Request (even if it is "AppController.php" or "RequestsController.php") So this makes me think that I'll have to explicity authorize the admin role in all controllers

1 answers

solution1
 0 ACCPTED  2018-09-15 14:06:34

When using ControllerAuthorize , AuthComponent will call isAuthorized() method only on active controller. So, in your example, when requesting any action from RequestsController , only RequestsController::isAuthorized() will be called, disallowing access to users which has priviledge other than 9.

If you want to allow admin users to access as well, you should change your RequestsController::isAuthorized() as follows: 

public function isAuthorized($user)
{
    //privileges 9 means supervisor
    if ($user['privileges']==9){
        debug($user);
        $action = $this->request->getParam('action');
        if (in_array($action, ['index', 'view', 'edit'])) {
            debug($user);
            return true;
        }
        return false;
    } else {
        debug($user);
        return parent::isAuthorized($user); //changed this line
    }

}

Additional info: CakePHP 3.x AuthComponent - Authorization

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question cakePHP - how does the AuthComponent authenticate? CakePHP 2 AuthComponent How to set the database for AuthComponent in CakePHP 2.4? CakePHP AuthComponent how to allow specific view Issues with CakePHP AuthComponent Cakephp : Login Admin with AuthComponent debug AuthComponent in cakephp 2.4 CakePHP 2:4 : Authcomponent not working CakePHP: Lowercase password on AuthComponent How do you return custom errors from CakePHP AuthComponent?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM