TinyAuth

RSS

18. Dec. 2011

TinyAuth – The fastest and easiest authorization for Cake2

18 Dec

The cake built in CRUD auth is way too powerful and way too slow and memory consuming. In 99% of all cases there is no need for that. Also, I never really used the groups + roles of the core ACL. Basic groups usually do the trick.

If you just want to have some basic control over the access to specific actions, you need sth else. Here it comes.

Preparations

Please make sure the Tools Plugin is properly loaded (see the plugin readme for details). If you plan on using prefixed routing (admin, …), enable those in your core.php or bootstrap.php.

I assume you already got the AuthComponent included in the $components array of your AppController. You probably also excluded all public views with sth like

$this->Auth->allow('contact_form'); # in beforeFilter() of the specific controllers

This here (in the contact controller) makes Auth skip this action completely. The action will be accessable to everybody right away.

This is especially important for your login/logout actions:

// UsersController
public function beforeFilter() {
    parent::beforeFilter();
    $this->Auth->allow('login', 'logout', 'register', ...);
}

Those actions should never trigger any Authorize module. All other actions then use our ACL to determine if access is granted or not.

You probably got a Role model (User belongsTo Role / User hasAndBelongsToMany Role) attached to the User. If you don’t want this, use Configure to store your keys like so:

// in your config.php if applicable or using Configure::write('Role', array(...))
$config['Role'] = array(
    // slug => identifier (unique magical number or maybe better a constant)
    'superadmin' => 1,
    'admin' => 2,
    'moderator' => 3,
    'helper' => 4,
    'user' => 5,
);

You should at least have an user – and maybe an admin role – for it to make sense.

You must also have some kind of Authentication in your AppController:

$this->Auth->authenticate = array('Form')); # uses username and password for login

Important: At least one type of authentication is necessary for any Authorize module to be usable.

So far so good. You can login/logout and once you are logged in browse all non-public pages. Even admin pages, of course. Thats where the TinyAuth class comes in.

The code can be found at github.

First of all include it in your beforeFilter() method of the AppController:

$this->Auth->authorize = array('Tools.Tiny');

If you don’t place this code into your “Tools” plugin, make sure to remove the Tools. prefix then.

Now create a file in /Config/ called acl.ini like so:

[Tools.Countries]
* = superadmin ; this is a comment
 
[Account]
edit,change_pw = *
 
[Activities]
admin_index,admin_edit,admin_add,admin_delete = admin,superadmin
index = *
 
[Users]
index,search = user
* = moderator,admin

The format is normal PHP INI style. I already included all kind of examples. * is a placeholder for “any”. The plugin prefix for controllers is not necessary as of now (maybe for Cake3 where the same controller name is allowed multiple times due to PHP5.3 namespaces). Comments in ini files start with “;”.

Explanations:

Superadmin can access all Countries actions
Account actions are accessable by all roles (and therefore logged in users)
Activities can be modified by all admins and listed by all everyone
Users can search and list other users, but only moderators and admins have access to all other actions

That’s it. Really easy, isn’t it?

Some details

TinyAuth expects a Session Auth User like so:

Auth.User.id
Auth.User.role_id (belongsTo - role key directly in the users table)

or so:

Auth.User.id
Auth.User.Role (hasAndBelongsToMany - multi role array containing all role keys)

As you can see it can manage both single and multile role setup. That’s sth the core one lacks, as well.

The current configuration is cached in the persistent folder by default. In development mode (debug > 0) it will be regenerated all the time, though. So remember that you have to manually clear your cache in productive mode for changes to take effect!

Quicktips

If you have a cleanly separated user/admin interface there is a way to allow all user actions to users right away;

$this->Auth->authorize = array('Tools.Tiny'=>array('allowUser'=>true));

Only for admin views the authorization is required then.

If you got a “superadmin” role and want it to access everything automatically, do this in the beforeFilter method of your AppController:

$userRoles = $this->Session->read('Auth.User.Role');
if ($userRoles && in_array(Configure::read('Role.superadmin'), $userRoles)) {
    # Skip auth for this user entirely
 $this->Auth->allow('*'); // cake2.x: `$this->Auth->allow();` without any argument!
}

UPDATE 2012-01-10

The auth model can now be anything you like. It doesn’t have to be Role or role_id. The new cake2.x uses “groups” per default. You can easily adjust that now by passing aclModel => 'Group' or aclKey => 'group_id' to the Tiny class, for instance.

UPDATE 2013-03-10

Some will be happy to hear that the deeper “contained” Role array is now supported besides the flat array of role keys. This deep/verbose array of roles has been introduced in Cake2.2 with the new “contain” param for Auth. So it made sense to support this in TinyAuth. See the test case for details.

Notes

NOTE 2012-02-25

It seems that especially new-beys seem to mix up the meaning of * in the ACL. Although it is already laid out in the above text I will try to make it more clear: This any placeholder for “roles” only refers to those users that are logged in. You must not declare your public actions this way! All those must be declared in your controller using $this->Auth->allow() (in earlier versions of cake `$this->Auth->allow(‘*’)).

The reason is that Authenticate comes before Authorize. So without Authentication (logged in) there will never be any Authorization (check on roles).

NOTE 2013-02-12

You can use this in conjunction with my Auth class for a quick way to check on the current user and its role(s) anywhere in your application:

App::uses('Auth','Tools.Lib'); // in your bootstrap
 
if (Auth::id()) {
    $username = Auth::user('username');
    // do sth
}
 
if (Auth::hasRole(Configure::read('moderator'))) { // if you used configure slugs
    // do sth
}
 
if (Auth::hasRoles(array(ROLE_ADMIN, ROLE_MODERATOR)) { // if you used configure and constants instead of magic numbers
    // do sth
}

See the inline class documentation or its test cases for details.

Upcoming

A shell to quickly modify the ini file (and batch-update for new controllers etc) should be ready some time soon.

There might some day also the possibility to use a database and some CRUD backend to manage the ACL. It would only need a few tables and controllers/views. If someone wants to help, go for it.

TinyAuth – The fastest and easiest authorization for Cake2

0.00 / 5 5
1 / 5
2 / 5
3 / 5
4 / 5
5 / 5

0 votes, 0.00 avg. rating (0% score)

46 Comments

Posted by Mark in CakePHP

Tags: Access, ACL, Auth, Authentication, Authorization, cake2.x, CakePHP, Login, Security

Matt

January 2, 2012 at 17:19

This is really great and something sorely missing from the core Cake distro. My only suggestion is that you do not assume the reader has so much in place already. I suspect most people who are looking for something like this are doing so because they could not get the complicated aro/aco stuff working easily and would love a step-by-step of getting tinyAuth up and running.

Also, the examples and tutorials in the cookbook 2.0 have users/groups tables instead of users/roles. You might want to specify the schema your plugin expects since it is different from those.

Matt

January 2, 2012 at 17:24

There is one thing I am having trouble with. When an action is not allowed, the site just hangs and returns nothing. Any suggestions on how to have it return some kind of page, or return back to where it came from with a flash error message?

Here is what I have in my AppController beforeFilter()

//Configure AuthComponent
$this->Auth->authorize = array('Tools.Tiny');
$this->set('authUser', $this->Auth->user());
//$this->Auth->authenticate = array('Form');
$this->Auth->loginAction = array('controller' => 'users', 'action' => 'login');
$this->Auth->logoutRedirect = array('controller' => 'users', 'action' => 'login');
$this->Auth->loginRedirect = array('controller' => 'contacts', 'action' => 'index');

Mark

January 2, 2012 at 22:40
Good points. I will have to refine it.

Ok, so roles in 1.3 have changed to groups in 2.0 then? But they still seem to be 1:N only (multiple roles/groups per user not possible). The documentation doesn't reveal much.

About your problem:
Your Auth component is responsable for that. The Tiny (or any other Auth for that matter) can only return true/false or the right to access this page. It used to redirect to /. But I opened a ticket (http://cakephp.lighthouseapp.com/projects/42648/tickets/2390-auth-component-should-not-redirect-to-index-if-loginredirect-is-set) because it doesnt make any sense if you are a logged in user (you would want to be redirected to $this->Auth->loginRedirect).
And thats exactly what the core Auth component does:
```
$this->flash($this->authError);
$controller->redirect($controller->referer('/'), null, true);
```
Matt

January 3, 2012 at 04:07

OK, I think I figured out part of the hanging issue. When a page is not authorized, it is trying to redirect to /, but that is also not authorized. I have not figured out how to specify / in the acl.ini file. It is probably obvious, but I'm still a cake newbie.
Mark

January 3, 2012 at 11:30

Well, that is a misconfiguration Your homepage (/) should always be public. Use $this->Auth->allow() in your controller for this action.
Forbin

January 7, 2012 at 15:37

Does this work in 1.3?

jetwes

January 9, 2012 at 12:24

I always get a failure after login:

Notice (8): Undefined index: role_id [APP/Plugin/Tools/Controller/Component/Auth/TinyAuthorize.php, line 69]

Mein Model ist so definiert:

class User extends AppModel{
            public $name = 'User';
            public $belongsTo = array(
                'Group' => array(
                    'className' => 'Group',
                    'foreignKey' => 'group_id',
                )
            );
 
            public $hasAndBelongsToMany = array(
                'Role' => array(
                    'className'                 => 'Role',
                    'joinTable'                 => 'roles_users',
                    'foreignKey'                => 'user_id',
                    'assosciationForeignKey'    => 'role_id',
                    'unique'                    => true,
                ),
                'Shop' => array(
                    'className'                 => 'Shop',
                    'joinTable'                 => 'shops_users',
                    'foreignKey'                => 'shop_user_id',
                    'assosciationForeignKey'    => 'shop_id',
                    'unique'                    => true,
                )
            );

Any Hints?
Good work – keep on!

Mark

January 9, 2012 at 12:32

You need to make sure the session contains the role information after logging the user in:

HABTM (multiple roles per user):
User.Role.id1,id2,…,idx,

BT (one role per user):
User.role_id
jetwes

January 9, 2012 at 17:32

got it, thanks again for the quick support! Is there a easy way to build a dynamic menu with the acls? (It depends on the role if a user can see the menu item)
Keep up the good work!
Mark

January 11, 2012 at 01:54

I updated the class to allow other parent model relations besides "User<–>Role". It should be closer to the cookbook now, where they use "Groups".

@jetwes
There sure is a way to do that. I would like to use sth like that very much, as well.
Basically we would need a helper to display certain "navigation" blocks and hide the ones you don't have access to. With caching this should be not too resource-eating…
Nitish

January 24, 2012 at 11:31

Hey Mark,

Thanks for the good work.

I am saying its good, because it looks like that & you won't claim it being the fastest & easiest..

I am a newbie in Cake, I have setup cake2.0 & I tried to follow your instructions but like "Matt" said, you can still make the tutorial more clear & to the point & step by step. I got confused at points like -

"If you don’t want this, use Configure to store your keys like so:"

I took some time to figure out that I need to do this in bootstrap file using Configure::write.. I am still not sure if this is the right way..

Basically, steps starting from we downloading cake & till the point where we are ready with a basic setup will be something that will help this a lot

Thanks & Hoping you help me out
Nitish

January 24, 2012 at 11:45

Actually .. Something like the book tutorial – http://book.cakephp.org/2.0/en/tutorials-and-examples/simple-acl-controlled-application/simple-acl-controlled-application.html, will be really good
kozima

February 27, 2012 at 21:00

Does this work in 1.3?[2]
Mark

February 27, 2012 at 22:18

No. Pretty sure it won't work with < 2.0. Mainly because Auth greatly improved in 2.0 and works pretty different from what it used to.

But with some effort you might be able to downgrade it.
rihad

May 16, 2012 at 17:42

Hi, thanks for the code. But how do I use it? Where do I put tinyauthdb? https://github.com/justinledwards/tinyauthdb/blob/2.1/app/Controller/Component/Auth/TinyAuthorize.php
Then do I need to configure the Model if I'm not going to use a HABTM table? I'll be using a static array of roles instead. Could you add a few lines how to set this up and get running? Many of us are new to Cake, but have stringent job time limits Thanks.
rihad

May 17, 2012 at 13:03

I cannot authorize, although I pass the password authentication step.

authorize() in TinyAuthorize.php receives $user that lacks any joins to roles table:

array(
'id' => (int) 6,
'username' => 'rihad',
'created' => '2012-05-15 16:30:10',
'modified' => '2012-05-17 16:36:24',
)

so of course it can't find $user['Role']
Here's my user class:
class Milli extends AppModel {
public $hasAndBelongsToMany = array(
'Role' => array(
'className' => 'Role',
'joinTable' => 'roles_users',
'foreignKey' => 'user_id',
'assosciationForeignKey' => 'role_id',
'unique' => 'keepExisting'));

}

class Role is empty.

class MilliController extends AppController
public $components = array(
'Session',
'Auth' => array(
'loginRedirect' => array('controller' => 'milli', 'action' => 'index'),
'logoutRedirect' => array('controller' => 'milli', 'action' => 'index'),
'authenticate' => array('Form' => array('userModel' => 'Milli')),
'authorize' => array('Tiny' => array('aclModel' => 'Role')),
'loginAction' => array('controller' => 'milli', 'action' => 'login')));

public function beforeFilter() {
$this->Auth->allow('login', 'logout');
}

Please help…

rihad

May 17, 2012 at 13:05

sorry here's the code again:

array(
        'id' => (int) 6,
        'username' => 'rihad',
        'created' => '2012-05-15 16:30:10',
        'modified' => '2012-05-17 16:36:24',
)
 
so of course it can't find $user['Role']
Here's my user class:
class Milli extends AppModel {
        public $hasAndBelongsToMany = array(
                        'Role' => array(
                            'className'                 => 'Role',
                            'joinTable'                 =>
'roles_users',
                            'foreignKey'                => 'user_id',
                            'assosciationForeignKey'    => 'role_id',
                            'unique'                    =>
'keepExisting'));
 
}
 
class Role is empty.
 
class MilliController extends AppController
       public $components = array(
                'Session',
                'Auth' => array(
                        'loginRedirect' => array('controller' =>
'milli', 'action' => 'index'),
                        'logoutRedirect' => array('controller' =>
'milli', 'action' => 'index'),
                        'authenticate' => array('Form' =>
array('userModel' => 'Milli')),
                        'authorize' => array('Tiny' =>
array('aclModel' => 'Role')),
                        'loginAction' => array('controller' =>
'milli', 'action' => 'login')));
 
        public function beforeFilter() {
                $this->Auth->allow('login', 'logout');
        }

Please help…

Mark

May 17, 2012 at 13:08

tinyauthdb is not my project. so i am not familiar with that.
regarding your second post – did you place it in the plugin or in the app?

make sure recursive is high enough.
I use my own AuthExt class which does that all for me.
You might want to do this, as well.

PS: with cake2.2 you can now set containable for this data, as well.
rihad

May 17, 2012 at 16:18

Thanks for replying, Mark. I put it in my app's Controllers/Components/Auth/
recursive is 1 by default and should be enough"
"1 Cake fetches a Group, its domain and its associated Users"
I'll still try setting it to 2 or 3 tomorrow and see.

Other than that should the retrieval of user data and joins happen automagically? All I have is a user model with HABTM to roles through roles_users. No reverse relationships of any kind.
Mark

May 17, 2012 at 16:21

The core itself usually only supports belongsTo (single role) – therefore the user itself should have sufficed so far.
That's why I recommend the AuthExt component to modify it accordingly.
rihad

May 17, 2012 at 17:32

You mean a class that subclasses TinyAuthorize? Then how would I change "recursive" from there? Isn't it in the model's config?
Mark

May 17, 2012 at 17:33

No, subclassing AuthComponent and overriding the part where it only fetches the User record itself.
Or – as mentioned before – ugprade to 2.2 and use contain
rihad

May 18, 2012 at 06:15
Hi, Mark. As you suggested I've added recursive => 1
```
public $components = array(
                'Session',
                'Auth' => array(
                        'authenticate' => array('Form' => array('userModel' => 'Milli', 'recursive' => 1)),
                        'authorize' => array('Tiny' => array('aclModel' => 'Role')),
```
And now _findUser() in BaseAuthenticate.php indeed fetches the user deeply with its Role. But TinyAuth still is getting the shallow user in its authorize(). Would you happen to know what's going on? The session (/tmp/sess_* files) is lacking the Role stuff.
rihad

May 18, 2012 at 06:56

Maybe I should be doing manual joins, as described in the docs and as is required for HABTM tables? See "Joining Tables" towards the end of http://book.cakephp.org/2.0/en/models/associations-linking-models-together.html

AFAIK joins can only be specified in the find() calls. But how do I affect the joins if they're only called internally from within the Auth subsystem? Should I be doing that anyway?

rihad

May 18, 2012 at 07:53

I've tried adding joins in my User model beforeFind():

public function beforeFind(array $query) {
                $query['joins'] = array(
                        array(
                                'table' => 'roles_users',
                                'alias' => 'RolesUser',
                                'type' => 'INNER',
                                'conditions' =>
array('Milli.id=RolesUser.user_id')),
                        array(
                                'table' => 'roles',
                                'alias' => 'Role',
                                'type' => 'INNER',
                                'conditions' =>
array('RolesUser.role_id=Role.id')));
 
                return $query;
        }

Now Model::find() correctly does receives the join info:
/lib/Cake/Model/Model.php (line 2676)

array(
        'conditions' => array(
                'Milli.username' => 'rihad',
                'Milli.password' => '17bce4ac9c39019189b7bba280af55de9fe1d9a7'
        ),
        'fields' => null,
        'joins' => array(
                (int) 0 => array(
                        'table' => 'roles_users',
                        'alias' => 'RolesUser',
                        'type' => 'INNER',
                        'conditions' => array(
                                (int) 0 => 'Milli.id=RolesUser.user_id'
                        )
                ),
                (int) 1 => array(
                        'table' => 'roles',
                        'alias' => 'Role',
                        'type' => 'INNER',
                        'conditions' => array(
                                (int) 0 => 'RolesUser.role_id=Role.id'
                        )
                )
        ),
        'limit' => (int) 1,
        'offset' => null,
        'order' => array(
                (int) 0 => null
        ),
        'page' => (int) 1,
        'group' => null,
        'callbacks' => true,
        'recursive' => (int) 2

But the User is still fetched with Role side by side, so
BaseAuthenticate ignores Role.

array(
        (int) 0 => array(
                'Milli' => array(
                        'password' => '*****',
                        'id' => (int) 6,
                        'username' => 'rihad',
                        'password_expiration' => null,
                        'created' => '2012-05-15 16:30:10',
                        'modified' => '2012-05-18 10:14:07',
                        'last_accessed' => null
                ),
                'Role' => array(
                        (int) 0 => array(
                                'id' => (int) 1,
                                'alias' => 'operations',
                                'RolesUser' => array(
                                        'id' => (int) 6,
                                        'role_id' => (int) 1,
                                        'user_id' => (int) 6
                                )
                        )
                )
        )
)

I'm expecting Role to be nested inside Milli, or something like that.

Please help, it's a SNAFU, I've invested too much of my limited time
to get the job done, it's too late to go looking for a working
framework I admit that it's probably a misconfiguration from my
part. But I can't fix it.

rihad

May 18, 2012 at 10:17

OK, I've worked around this deficiency by doing 2 things:
(1) added 'recursive' => 1 to AuthI

public $components = array(
                'Auth' => array(
                        'authenticate' => array('Form' =>
array('userModel' => 'Milli', 'recursive' => 1)),

(2) writing afterFind() callback in my model:

public function afterFind(array $query) {
                if (count($query) == 1) {
                        # single result fetched
                        $record = &$query[0];
                        if (isset($record['Role']) &&
is_array($record['Role'])) {
                                $roles = array();
                                foreach ($record['Role'] as $role)
                                        $roles[] = $role['RolesUser']
['role_id'];
                                $record[$this->alias]['Role'] =
$roles;
                                unset($record['Role']);
                        }
                }
 
                return $query;
        }

You bet this is ugly! But works.
There's one small problem, though. When I remove currently logged in user's role to access a specific resource, he can still do so. Looks like authorize() accesses Session data, and Session has active user roles cached.

Augusto

August 3, 2012 at 06:27

I can't get to work the part to allow superadmin access everything. Altough superadmin is logged in, it does not allow that role to access everything. Therefore I must setup all actions in acl.ini to make it work. Any ideas?
Mark

August 3, 2012 at 09:37

Did you apply the quicktip from above? Make sure that the Role array in your Session is filled. If you use a single role based approach, you would have to check User.role_id in the session instead (not User.Role)
Augusto

August 3, 2012 at 16:07

Sent last post by mistake. What I changed was $this->Auth->allow('*') to $this->Auth>allow() (I'm using 2.2.1). Now it's working perfectly!
Mark

August 3, 2012 at 16:21

exactly, as noted in "NOTE 2012-02-25 ms" at the bottom
Augusto

August 3, 2012 at 18:09
*facepalm*
Anyways, you state that "You must not declare your public actions this way! All those must be declared using
```
$this->Auth->allow()
```
."
But here I am not trying to allow access to anyone to public actions, but to allow superadmin (after he has logged in as so) access non-public actions (as showed in the
```
$this->Auth->allow('*');
```
snippet, that I had to modify). What am I getting wrong? :s
Mark

August 3, 2012 at 18:37
The difference is HOW you do it. If you do it inside the beforeFilter for the superadmin role only it will also only affect users with this role. makes sense, doesn't it? Just include the check from above:
```
if (in_array(Configure::read('Role.superadmin'), $userRoles)) {
    //only then allow all
}
```

Augusto

August 3, 2012 at 19:59

That's understood. I think I didn't express myself well. What I modified was:

public function beforeFilter() {
    parent::beforeFilter();
    if (/* checks logged user is admin */) {
        $this->Auth->allow('*');
    }
}

To this to make it work:

public function beforeFilter() {
    parent::beforeFilter();
    if (/* checks logged user is admin */) {
        $this->Auth->allow();
    }
}

Mark

August 3, 2012 at 20:12

that's true. it depends on what cake version you are using.
in earlier versions it was '*' now it is just no arguments.
I updated the tutorial to make it clearer thank you for pointing that out.
Augusto

August 3, 2012 at 20:20

That's great! Keep up the good work…

Thanks again
Chyrus

August 20, 2012 at 13:01
Hi. How can i use TinyAuth without user table? I created user model
```
App::uses('AppModel', 'Model');
/**
 * User Model
 *
 */
class User extends AppModel {
	public $useTable = false;
}
```
andi get error:
Error: Call to a member function find() on a non-object
File: /home/chyrus/projekty/seotool/www/app/Plugin/Tools/Controller/Component/Auth/TinyAuthorize.php
Line: 162
Mark

August 22, 2012 at 12:22
You need to make Configure::read($this->settings['aclModel']); work

So provide them in Configure as described above in your bootstrap/config etc:
```
$config['Role']  = ...
```
frzfrz

November 9, 2012 at 16:03

I see the code of TinyAuth and I want to use the public function validate() to do individual checks for certain roles to show edit buttons etc. But I cant find a way to access validate(), is there any?
Mark

March 1, 2013 at 20:35

@frzfrz: See my updated note at the bottom about Auth class

Bacon

March 10, 2013 at 18:26

Hello, thanks for great plugin, but I am stucked at the moment… When I try access for example /users/add, I am redirected to /.

My AppController:

class AppController extends Controller {
 
    public $components = array(
      'Auth' => array(
        'authenticate' => array(
          'Blowfish' => array(
            'contain' => array(
              'Group' => array(
                'fields' => array(
                  'id'
              )
            )
          ) 
          )
        )
      )
    );
 
    public function beforeFilter() {
 
      $this->Auth->authorize = array(
        'Tools.Tiny' => array(
          'aclModel' => 'Group' 
        )
      );
 
    }
 
  }

My acl.ini:

[Users]
add = Administrator

Session array:

[Auth] => Array
        (
            [User] => Array
                (
                    [id] => 1
                    [username] => Bacon
                    [email] => 
                    [Group] => Array
                        (
                            [0] => Array
                                (
                                    [id] => 1
                                    [GroupsUser] => Array
                                        (
                                            [id] => 1
                                            [user_id] => 1
                                            [group_id] => 1
                                        )
 
                                )
 
                            [1] => Array
                                (
                                    [id] => 2
                                    [GroupsUser] => Array
                                        (
                                            [id] => 2
                                            [user_id] => 1
                                            [group_id] => 2
                                        )
 
                                )
 
                        )
 
                )
 
        )

Any idea, please?

Mark

March 10, 2013 at 18:31
It tries to look for the ids in User.Group directly – as find(list) would return them.
You need to put them in as flat array of ids.
```
User.Group => array(1, 2, 3, ...)
```
.
or enhance the component.
Bacon

March 10, 2013 at 18:52

Wow, what an extremely quick reply! Thanks. I was afraid of that… Hope I will find solution to convert it to flat array.
Mark

March 13, 2013 at 14:19

You will be happy to hear that the deeper "contained" Role array is now supported
Bacon

March 16, 2013 at 03:41

Mark, many thanks for your work! I finally got it working.

But I would like to say, that maybe you should mention, that Group.alias (or Role.alias) have to be in lowercase in order to work. Took me few hours to realize, why am I not authorized to action, even if I have it set properly.

Well, now it works, that in my acl.ini I can have:
[Users]
info = admin
OR
info = Admin

and it would work because every role from .ini will be converted to lowercase (because $newRole = Configure::read($this->settings['aclModel'] . '.' . strtolower($role));).

But if you have $this->settings['aclModel']['Admin'], it won't work, because $newRole is looking for ['admin']. I don't know if it is bug or feature, but I think it should be mentioned for other users to realize. Or maybe you can convert roles to lowercase also when you write them to config (Configure::write($this->settings['aclModel'], $availableRoles);).

I am wondering that I am the only one with this issue… Keep your great work!
Eric

June 5, 2013 at 16:07

I was wondering if anyone would know where the best place would be to put a restriction for something like 'RolesUser.site_id => 2' I am working on a SaaS app so I have 1 User to many roles but I need to select only roles pertaining to the domain(site_id) they are on

$this->Auth->authenticate = array(
'Form' => array(
'scope' => array('RolesUser.site_id' => $result['Sites']['site_id']),
'recursive' => 1,
)
);

But it doesnt work

Eric

June 7, 2013 at 16:55

Ok I got it sorted and Im posting what I did to make it work.

class User extends AppModel {
 
    public $primaryKey = 'id';
    public $hasAndBelongsToMany = array(
	'Role' => array(
	    'className' => 'Role',
	    'joinTable' => 'roles_users',
	    'foreignKey' => 'user_id',
	    'assosciationForeignKey' => 'role_id',
	    'unique' => 'keepExisting'
	)
    );
 
    function __construct($id = false, $table = null, $ds = null) { 
        $this->hasAndBelongsToMany['Role']['conditions'] = array('RolesUser.site_id' => Configure::read('Settings.site_id')); 
        parent::__construct($id, $table, $ds); 
    }

The only issue Im still having and I dont thinkits tied to Tiny is I cant get the fields to work so I can use email instead of username

Search the site
Search
Bitcoin Donation
Fast, anonymous and without transaction fees!
161AcnPykE42e4ErQNR9B73Bb78Jy81AN6
Tags
Access ACL Auth Authentication Authorization Bake beforeValidate Behavior Behaviors Bootstrap Cake1.3 Cake2 cake2.x CakePHP Code Completion Component Console Custom Template Database Default Values Dummy Values Forms Helper HTML5 Lib Login Model PHP PHP5 PHP5.4 PHPUnit Placeholder Plugin redirect Security Shell Subversion SVN Properties Tips Tortoise Unit-Tests Useful functions Validation Validator XHTML
Categories
- Common (6)
- VersionControl (6)
  - Git (2)
  - SVN (5)
- WebDevelopment (100)
  - HTML (1)
  - JS (2)
    - jQuery (2)
  - PHP (96)
    - CakePHP (86)
  - Testing (3)
Recent Posts
Recent Comments
Calendar
December 2011

M T W T F S S

« Nov Jan »

1 2 3 4

5 6 7 8 9 10 11

12 13 14 15 16 17 18

19 20 21 22 23 24 25

26 27 28 29 30 31
Archives
Pages
Popular Posts
Top Rated
- CakePHP and SEO (97%)
- CakePHP and Tree structures (97%)
Bookmark this
Facebook Google+ Twitter Pinterest

Delicious Digg Fark Google Instapaper LinkedIn MySpace Newsvine Pocket Readability Reddit StumbleUpon Tumblr Yahoo!

DerEuroMark

Leave a Reply

Search the site

Bitcoin Donation

Categories

Recent Posts

Recent Comments

Calendar

Archives

Pages

Top Rated

Bookmark this

December 2011
M	T	W	T	F	S	S
« Nov				Jan »
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

DerEuroMark

TinyAuth – The fastest and easiest authorization for Cake2

Preparations

TinyAuth

Some details

Quicktips

UPDATE 2012-01-10

UPDATE 2013-03-10

Notes

NOTE 2012-02-25

NOTE 2013-02-12

Upcoming

Leave a Reply

Search the site

Bitcoin Donation

Tags

Categories

Recent Posts

Recent Comments

Calendar

Archives

Pages

Popular Posts

Top Rated

Bookmark this