Wednesday, December 1, 2010

Auth set up

I feel like I ought to know this, but am struggling <embarrassed>.

I am using the Auth component (not Acl). I have an isAuthorized
function in app_controller and another in my users_controller. The one
in users fires whenever someone calls an action in the users
controller; otherwise the one in app_controller is called.

I have allowed access to the 'create' and 'logout' actions in the
users_controller.

Here's my problem: if I allow access to the 'view' action, any user
can see any user record without being challenged even when not logged
in. If I leave 'view' out of $this->Auth->allow, no user has access to
it (not even the currently logged in user). Going to /users/view/1
simply redirects to the home page (saying I do not have sufficient
rights). Also, if I don't specifically allow access to 'logout', the
logout actions fails. I thought this was allowed by default?

I'm on version 1.3.6 Anyone got any hints?

Code>>>

I have this in my app_controller:

var $components = array(
...,
'Auth' => array(
'authorize' => 'controller',
'loginError' => 'Your username and/or password are incorrect.
Please try again.',
'authError' => 'You do not have sufficient privileges to view that
page.',
'logoutRedirect' => array(
'prefix' => false,
'controller' => 'about'
)
)
);

I have this in my users_controller:

function beforeFilter() {
parent::beforeFilter();

$this->Auth->allow(
'create',
'logout'
);
}

function isAuthorized() {

if (isset($this->params['pass'][0])):
if (!$this->Auth->user()):
$this->Session->setFlash('You must be logged to view that
record.', 'default', array('class' => 'no_entry'));
$this->redirect($this->Auth->loginAction());
else:
if ($this->Auth->user('id') == $this->params['pass'][0]):
$this->Session->setFlash('Welcome back', 'default',
array('class' => 'success'));
else:
$this->Session->setFlash('You do not have permission to view that
record.', 'default', array('class' => 'no_entry'));
$this->redirect('/');
endif;
endif;

else:
$this->redirect('/');
endif;
}

Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.

You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)