Hi,
-- I've the blog tutorial and am working on my own app, an event booking system, which has user registration with two user roles - unsurprisingly called 'user' and 'admin'. :)
I want 'users' to be able to change their own details and book on an event, and 'admins' to be able to do the usual adminy things.
Authentication is working okay, but I can't get the authorisation element to work, using isAuthorized($user). If I log in as a non-admin user, I can still access the admin functions (by directly typing in the URL), all of which are prefixed with 'admin_'
I've looked all over this forum and beyond, but I can't find a solution. Can anyone please take a look at my code and see where I might be going wrong? It's starting to drive me mad and I'm thinking of just sticking a simple 'is the user an admin?' within each and every admin function.
I've tried it with and without Configure::write('Routing.prefixes', array('admin')); in my app's core.php
(I've edited out non-relevent code for brevity)
AppController.php
App::uses('Controller', 'Controller'); class AppController extends Controller {
public $components = array( 'Session', 'Auth' => array( 'loginRedirect' => array('controller' => 'users', 'action' => 'dashboard'), 'logoutRedirect' => array('controller' => 'pages', 'action' => 'home'), 'authError' => 'You must be logged in to view this page.', 'loginError' => 'Invalid username or password entered, please try again.', 'authenticate' => array( 'Form' => array('passwordHasher' => 'Blowfish', array('fields' => array('username' => 'email')))), 'authorize' => array('Controller') )); //// pages that can be viewed without being logged in
public function beforeFilter() { $this->Auth->allow('login','index','add','home'); }
//// check to see logged-in user is an admin public function isAuthorized($user) { // Any registered user can access public functions if (empty($this->request->params['admin'])) { return true; } // Only admins can access admin functions if (isset($this->request->params['admin'])) { return (bool)($user['role'] === 'admin'); } // Default deny return false; }
}
UsersController.php
App::uses('AppController', 'Controller');
class UsersController extends AppController { public $helpers = array('Html', 'Form', 'Session'); public $components = array('Session'); public function beforeFilter() { parent::beforeFilter(); $this->Auth->allow('login','index'); } public function login() { // if we get the post information, try to authenticate if ($this->request->is('post')) { if ($this->Auth->login()) { $this->Session->setFlash(__('Welcome, '. $this->Auth->user('fullname'))); $this->redirect($this->Auth->redirectUrl()); } else { $this->Session->setFlash(__('Invalid username or password')); } } }
public function dashboard() { //// code for dashboard stuff }
///// all the other code.....
}Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment