CakePHP auth: logout redirect wrong and with double url base

0
votes

I know that there are plenty of questions about this topic, but as I anderstand there should have been a bugfix. So I figure my problem must be a different one since I am using CakePHP 2.5.6 which should have the bugfix already, correct?

Well, I am trying to adapt the "Simple Authentication and Authorization Application" to my project. As long as I don't add the line 'authorize' => array('Controller') I can add users, login, logout and the login and logout-redirects work fine.

As soon as I add that line the app behaves weird: 1. Login and login redirect work 2. users/logout leads too a Missing-Controller-Error, because it calls an url with double base. Also it calls the redirect url of the login redirect and not of the logout-redirect. When I call the /users/logout the app tries to acces localhost/project_xyz/project_xyz/tests

AppController:

class AppController extends Controller {
     public $components = array(
        'Session',
        'Auth' => array(
            'loginRedirect' => array(
                'controller' => 'tests',
                'action' => 'index'
            ),
            'logoutRedirect' => array(
                'controller' => 'pages',
                'action' => 'display','home'
            ),
            'authenticate' => array(
                'Form' => array(
                    'passwordHasher' => 'Blowfish'
                )
            ),
            'authorize' => array('Controller'),
        )
    );

    public function isAuthorized($user) {
    // Admin can access every action
    if (isset($user['role']) && $user['role'] === 'admin') {
        return true;
    }

    // Default deny
    return false;
}

    public function beforeFilter() {
        $this->Auth->allow('display');
    }
}

Can somebody help?

[EDIT:]

I added this to the components-array:

'unauthorizedRedirect' => [
'controller' => 'users',
'action' => 'login',
'prefix' => false ]

The effect is, that when I call users/logout now, instead of the previous missing-controller-error, I will be redirected to users/login. Unfortunately the user has not been logged out. I can still access everything as if the user is still logged in.

[EDIT #2:]

public function login() {
    if ($this->request->is('post')) {
        if ($this->Auth->login()) {
            return $this->redirect($this->Auth->redirectUrl());
        }
        $this->Session->setFlash(__('Invalid username or password, try again'));
    }
}

public function logout() {
    return $this->redirect($this->Auth->logout());
}
1
cakephpauthenticationredirect
Upgrade to latest 2.6.x stable release. IIRC there was a bug related to redirection which was fixed.ADmad
I did the upgrade to 2.6.1. Still same error.Doena
I just tried this: Put allow->'logout' in the beforeFilter of AppController. $this->Auth->allow('display','logout'); Now at least the logout works. Unfortunately there are still other redirect issues: When I login, I get logged in, but the redirect doesn't work at the first time. Even though I can access now the protected areas, I will only be redirected if I submit the user credentials a second time.Doena
Can you add your login and logout functions please.JadedCore
Also, your isAuthorized() function appears to be always returning false unless the user is an admin. That means all of your other users will not be able to access any part of the site unless it is explicitly defined as allowed in $this->Auth->allow().JadedCore

1 Answers

3
votes

What seemed to be the problem is that 'logout' has to be in the beforeFilter, which I missed:

public function beforeFilter() {
    $this->Auth->allow('login','logout');
}

Still, this only works for me in combination with this in the components-array of the AppController:

        'unauthorizedRedirect' => [
            'controller' => 'users',
            'action' => 'login',
            'prefix' => false ]

If I leave this out and add some model-spedific isAuthorized-functions, I will still get the missing-controller-error with the double-base-url. There seems to be something wrong with the unauthorizedRedirect. This workaround will work for me though...