cakephp manage correctly permission in beforeFilter

0
votes

I have a little problem isnisde my controller. I want that a user can access only inside some pages an andmin user inside more pages.

I have a controller called UsersController this is its beforeFilter method

public function beforeFilter () {
        parent::beforeFilter(); // chiamo anche il callback beforeFilter dal parent per ottenere un'autorizzazione per l'utente loggato da tutte le viste $this->Auth->allow('index','view'); per tutti i Model 
        $views = array ('login','register','activate');
        if ($this->Session->read('is_logged')) {
            $views = array_merge ($views, array ('login','logout', 'change_password'));
            if ($user_type == 'admin') {
                $views = array_merge ($views, array ('add','delete','edit','create','index'));
            }
        }
        $this->Auth->allow($views);
    }

in this function guest can enter inside login, register and activate.
user logged can access inside login. logout and change_password, admin to the other pages more.

But this not works. For example a user logged can access inside the index view or add view.

Why this?

This is my beforeFilter inside appController:

public function beforeFilter () {
        $this->setReleaseData();

        $this->checkUserStatus();
        $this->updateTimezone();
        $this->setRedirect();

        if($this->Session->read('is_logged')){
            $auth_user = $this->Auth->user();
            $this->set('user_type', $auth_user['group']);
        }
    }

How can I manage correctly permission to enter in pages?

Thanks

2
phpcakephp

2 Answers

1
votes

I see you are not using an Authorization Handler, thus you will have to manually deny the access to actions

$this->Auth->deny(array('index', 'add', 'edit', 'etc'));

EDIT

I would actually start by denying access to everything, in your beforeFilter (AppController)

$this->Auth->deny();

and then in the beforeFilter() of you specific controller

if ($user_type == 'admin') {
    $this->Auth->allow('actionThatYouWantToGrantAccess');
}
1
votes

I'd look into Auth Controller a little more. Try using Admin Routing (Turned on in App/Config/core.php) along with $this->Auth->allow() which can be set by default beforeFilter() in the AppController.php and then set with in each controller's beforeFilter as well.

    /**
 * @var mixed[mixed]
 */
public $components = array(
    'Auth' => array(
        'autoRedirect' => false,
        'loginRedirect' => array(
            'admin' => true,
            'controller' => 'homes',
            'action' => 'index',
        ),
        'loginAction' => array(
            'controller' => 'users',
            'action' => 'login',
            'admin' => false,
            'plugin' => false,
        ),
        'authenticate' => array(
            'Form',
        ),
    ),
    'Session',
    'Cookie',
);

/**
 * Before Filter callback
 */
public function beforeFilter() {    
    // Allow public views
    $this->Auth->allow('index', 'view', 'display');
    }