CakePHP 2.0: ACL not working

1
votes

I have used ACL in CakePHP 1.3 without a single issue, after 2 weeks of bitter frustrations it still does not work in CakePHP 2.0.

I have followed the Cake ACL tutorial EXACTLY, but nothing happens. All Aros are in correctly, same for ACOS and permissions.

After all this, I can enter all denied actions without a problem.

Hereby my AppController:

public $components = array('Acl','Auth'=> array(
                            'authenticate' => array(
                                'Actions',
                                'Form' => array(
                                    'fields' => array('username' => 'email')
                                    ),
                            )
), 'Session', 'MathCaptcha', 'RequestHandler');

In my BeforeFilter:

    $this->Auth->actionPath = 'controllers';
    $this->Auth->loginAction = array('controller' => 'users', 'action' => 'login');
    $this->Auth->logoutRedirect = array('controller' => 'pages', 'action' => 'home');
    $this->Auth->loginRedirect = array('controller' => 'users', 'action' => 'profile');
    $this->Auth->allow('display');

Does someone have an idea what goes wrong. Thanks!

2
cakephp-2.0

2 Answers

2
votes

The Auth component changed quite a bit from CakePHP 1.3 to 2.0. I bumped into similar issues migrating an app from 1.3 to 2.0. I found that setting the authorize option was where I needed to make my change:

In beforeFilter:

$this->Auth->authorize = array(
    'Actions' => array(
        'userModel' => 'User',
        'actionPath' => 'users'
    )
);

The userModel was the model class used in the Aro table. The actionPath is the root level of the actions that Acl checks in the Aco table.

You may also want to deny then allow:

$this->Auth->deny('*');
$this->Auth->allow('display');

Hope this helps.

2
votes

In CakePHP 2.0 I've made this way:

app/Controller/AppController.php

class AppController extends Controller {

    public $components = array(
        // others components...
        'Session',
        'Acl',
        'Auth'=> array(
            // Setting AUTHORIZATION "What can you do?"
            'authorize' => array(
                'Actions' => array(
                    'actionPath' => 'controllers'
                 )
            ),

            // Setting AUTHENTICATION "Who are you?"
            'authenticate' => array(
                'Form' => array(
                    'fields' => array(
                        'username' => 'email', 'password' => 'password'
                    )
                )
            )
        )
    );

// other stuffs...

With this aproach, ACL will make all dirty job. Is not necessary to check permitions, as you probably know.

I believe you are Ok about AROs and ACOs, not big deal. Just in case: http://book.cakephp.org/2.0/en/tutorials-and-examples/simple-acl-controlled-application/simple-acl-controlled-application.html#simple-acl-controlled-application

The CakeBook for 2.0 shows a Console plugin called AclExtras that build your ACOs. Your AROs will be built as users and groups are added/deleted. I've used this plugin to generate AROs regarding my already filled tables: http://www.alaxos.ch/blaxos/pages/view/plugin_acl. This works fos 1.3, but there is a beta version for 2.0 that works ok.

After that, You must set up permitions. Manually (or from Console) as this links describes: http://book.cakephp.org/2.0/en/tutorials-and-examples/simple-acl-controlled-application/part-two.html#setting-up-permissions. Or visually with Alaxos's Plugin.

I hope this help! It's worked for me. I'm using CakePHP 2.0.2