good day everyone, regarding auth component I am doing some tests to understand better the tool, in a probe of concept i want that an authenticated admin user be authorized to access any action, but if the authorized user has the "supervisor" role only be able to the actions index, view and edit in the "RequestsController.php", I am trying this approach: 1) allow everything for admin role and deny everything for anyone else in AppController.php. 2) Allow explicitly "supervisor" in "RequestsController.php" and deny any other role.
The doubt is that after some tests what happens is that if I authorize the admin user just in AppController.php the redirects only allows me to go to /webroot/, but If I allow the admin role in RequestsController.php. I can see requests without problem
IsAuthorize method in AppController
public function isAuthorized($user)
{
//privileges 1 means admin
if ($user['privileges']==1){
debug($user);
return true;
} else {
debug($user);
return false;
}
}
IsAuthorize method in Requests Controller
public function isAuthorized($user)
{
//privileges 9 means supervisor
if ($user['privileges']==9){
debug($user);
$action = $this->request->getParam('action');
if (in_array($action, ['index', 'view', 'edit'])) {
debug($user);
return true;
}
return false;
} else {
debug($user);
return false;
}
}
As I am not clear in the order that the isAuthorized function is handled, or why the redirect to the Request (even if it is "AppController.php" or "RequestsController.php") So this makes me think that I'll have to explicity authorize the admin role in all controllers
