ansaurus

Question

Deny certain controller action permission in CakePHP

Answer 1

A:

Try to do it this way:

function beforeFilter() {
    $this->Auth->authorize = 'controller';
    $this->Auth->allow('register');
}

function isAuthorized() {
    if ($this->Auth->user()) {
        $this->Auth->deny('register');
    }
}

UPDATE: Probably, the cleaner solution would be

function beforeFilter() {
    $this->Auth->authorize = 'controller';
    if(is_null($this->Auth->user())) {
        $this->Auth->allow('register');
    }
}

bancer 2010-10-23 22:37:06

Tried that also. No change, unfortunately.

linkyndy 2010-10-24 11:11:50

Check out this question http://stackoverflow.com/questions/768785/cakephp-isauthorized-not-being-called

bancer 2010-10-24 11:18:52

Looked over that one, and it was of no help. I already have the parent::beforeFilter() and the isAuthorized() method is called. Any other ideas, as I'm starting to lose my temper over this problem...

linkyndy 2010-10-24 13:38:31

Put the code above into app_controller.php and comment beforeFilter() method in UsersController.

bancer 2010-10-24 17:14:46

Done this and only half of the problem has been resolved. That is, only the register page is available when not logged (good) and still the register page is available when logged (bad).

linkyndy 2010-10-24 18:43:11

More info: If I add an output message in the method above, so as the code looks like this: $this->Auth->allow('register'); if($this->Auth->user()){ $this->Auth->deny("register"); $this->Session->setFlash("authed user"); } then the "authed user" is shown, but the deny() method has no effect.

linkyndy 2010-10-24 18:55:31

Try to replace `$this->Auth->deny("register");` by `$this->Auth->allowedActions = array();`

bancer 2010-10-24 23:26:15

Or you can even do `function beforeFilter() {$this->Auth->authorize = 'controller'; if(!$this->Auth->user()) {$this->Auth->allow('register');}}`

bancer 2010-10-24 23:30:09

Or `function beforeFilter() {$this->Auth->authorize = 'controller'; if(is_null($this->Auth->user())) {$this->Auth->allow('register');}}`

bancer 2010-10-24 23:39:09

The thing is that that method calls both when the user is authenticated or not (the beforeFilter() of the UsersController). What you've said works for when the user is not authed. But when the user is authed, you don't have any deny on the register action.

linkyndy 2010-10-25 17:56:11

Have you tested the code I wrote?

bancer 2010-10-25 20:49:30

The last ones you wrote don't work. And that is somehow logic, because the isAuthorized() method is being called when accessing an action AFTER the authentication check has been made. So then, it's obvious that $this->Auth->user()) in the isAuthorized() method always returns true. Other than this, I answered in the reply above, that if I am already logged in, by default I have access to all cotroller actions; so, your code above works only for when the user is not logged. This being said, am I missing something from what you've said?

linkyndy 2010-10-26 09:20:24

If so, please submit another reply to my question in which you show me exactly what you meant to say. Thanks for your help so far :)

linkyndy 2010-10-26 09:20:44

Answer 2

+1 A:

function register()
{
    if ($this->Auth->user())
    {
        $this->redirect('someOtherPage');
        // or exit;
    }
    //other stuff
}

Leo 2010-10-24 17:17:31

Thanks for your answer. It works, but I was looking after a more elegant solution. I don't want to mess with all controller actions when I want to allow/deny permission. I'd prefer having defined everything in a beforeFilter() method, using the allow() and deny() methods Auth provides.

linkyndy 2010-10-24 18:45:18

My understanding was that this was for just one action/page. If you require more control over more pages, you should look into ACL. It really isn't that difficult once you get your head round it.

Leo 2010-10-24 19:17:11

I find sometimes it is better to go with what works and get on with something else than to pursue a more elegant solution. However, I do recall having problems with the deny() function i.e. it didn't work.

Leo 2010-10-24 19:25:23

The more I look at it, the more I disagree that doing it in a before filter is an elegant solution - every action on that controller will be tested against that conditional when you only want to filter one action. I argue that my solution is the elegant one especially as it works ;)

Leo 2010-10-24 19:32:21

+1 I, too, think *this* is the most elegant solution. You just need to switch your thinking from "I want to **deny** the user access to the register action if he's already registered" to "In case the user is already registered, we'll just throw him back to the homepage." It makes more sense for the user too. *Denying* an action means the user will be redirected to the login page, which doesn't make any sense at all, since the user is already logged in.

deceze 2010-10-24 23:50:08

I don't want to use ACL because I get complicated too much. I need only a few restrictions of access. With elegant, I was referring to do all the permission work in the beforeFilter(); That is, maybe after a while, I would like to add some actions to the allow/deny array (e.g.: beside register, say I would like to add login; this means $this->Auth->allow("register", "login"); if($this->Auth->user()) $this->Auth->deny("register", "login");This would be more 'elegant', as I would do all the "job" in only one method. Hope you understood now my point.

linkyndy 2010-10-25 17:39:27

Anyway, what's the point of the allow/deny methods not working? What's the catch? As I said, the user authentication check passes, and if I add some echo string right before/after $this->Auth->deny("register"); it really works. So then why is Cake "ignoring" that line? (to mention, I tried both variants, the one displayed above and the one with the isAuthorized() method when ->authorize is set to "controller").

linkyndy 2010-10-25 17:45:03

ansaurus

tags:

views:

answers:

Deny certain controller action permission in CakePHP

related questions