Checking my application, I saw that every user can access to all the actions in it. I'm using cakePhp build-in ACL Component... Checking permissions through terminal displays correctly is the user is allowed or not to call a certain action. But once I'm checking the application on the browser all users have access to every action. Any clue what could be doing this?
You can have CakePHP automatically handle things for you if you're using the built-in Auth and ACL components. To start, you can make sure you have an app_controller.php file in the App folder. Mine looks something like this:
<?php
class AppController extends Controller {
var $helpers = array('Form', 'Html', 'Javascript', 'Time');
var $components = array( 'Acl', 'Auth', 'Session', 'Cookie');
function beforeFilter() {
$this->Auth->authorize = 'actions';
$this->Auth->actionPath = 'controllers/';
$this->Auth->authError = ' Access Denied!';
$this->Auth->loginRedirect = '/registrations';
$this->__checkAuth();
}
private function __checkAuth() {
$currentUser = $this->Auth->user();
$currentUser = $currentUser['User'];
$this->set(compact('currentUser'));
}
}
?>
If you're authorizing 'actions' then try including that code in your app_controller.php file, or create one if you don't already have one. Then start browsing to see if it has made any changes.
If you have custom code in each controller's beforeFilter, you'll also need to add a single line of code to each controller.
function beforeFilter(){
parent::beforeFilter();
}
Any beforeFilter (even a blank one) placed in a controller will override the beforeFilter of the AppController unless you specifically call the AppController's beforeFilter using the code above.
You can also find some of the best tutorials on using CakePHP's ACL here: http://aranworld.com/article/161/cakephp-acl-tutorial-what-is-it