I think I got a mistake in the Authorization of my App. I want only to allow to add Pages by users with an admin role. But I can access the add function with no problem. So here is what I did.
AppController
public function initialize()
{
parent::initialize();
$this->loadComponent('RequestHandler');
$this->loadComponent('Flash');
$this->loadComponent('Auth', [
'loginRedirect' => [
'controller' => 'Moves',
'action' => 'view'
],
'logoutRedirect' => [
'controller' => 'Pages',
'action' => 'display',
'home'
]
]);
public function beforeFilter(Event $event)
{
$this->Auth->allow(['index', 'view', 'display', 'english', 'italian', 'german']);
$this->Auth->loginAction = array('controller'=>'pages', 'action'=>'home');
$this->loadModel('Menus');
$main_de = $this->Menus->find('all', array(
'conditions' => array('Menus.action' => 'main_de')
));
$this->set('main_de', $main_de);
$main_us = $this->Menus->find('all', array(
'conditions' => array('Menus.action' => 'main_us')
));
$this->set('main_us', $main_us);
}
public function isAuthorized($user)
{
// Admin can access every action
if (isset($user['role']) && $user['role'] === 'admin') {
return true;
}
// Default deny
return false;
}
Pages
public function isAuthorized($user)
{
// All registered users can add articles
if ($this->request->action === 'add') {
return false;
}
// The owner of an article can edit and delete it
if (in_array($this->request->action, ['edit', 'delete'])) {
$articleId = (int)$this->request->params['pass'][0];
if ($this->Articles->isOwnedBy($articleId, $user['id'])) {
return false;
}
}
return false;
}
EDIT: Found the solution, I forgot 'authorize' => 'Controller' in my loadComponent('Auth...
