CakePHP Authentication, Authorization and ACL

What’s the difference between Authentication and Authorization?

These two terms are quite often misunderstood. Let’s put it this way, suppose you work in a 100-story office building, each floor has different offices of other companies. You are working on the 49th Floor, cubicle number 20. Authentication is when the security personnel at the building’s front door allows you to come in. Authorization on the other hand, is when you have permission to get to your cubicle, log in to your computer and perform the tasks that you are permitted to do.

So being Authenticated does not automatically mean Authorized, but being Authorized would have to mean you are Authenticated.

Using Basic CakePHP Authentication

The first step is to include the Auth component in your controller. If you are going to use Auth for the whole site, you would want to put this in your /app/app_controller.php.

class AppController extends Controller {
 var $components = array('Auth');

 function beforeFilter() {
 //Configure Auth settings
 $this->Auth->loginError = "No, you fool! That's not the right password!";
 $this->Auth->authError = "Please sign in.";

 //$this->Auth->loginAction = array('controller' => 'users', 'action' => 'login');
 //$this->Auth->loginRedirect = array('controller' => 'users', 'action' => 'login');
 //$this->Auth->logoutRedirect = array('controller' => 'users', 'action' => 'login');

 if($this->Auth->user()) {
 //Our user is logged in.
 //User data is stored in $this->Session->read('Auth');
 }
}

Then in your controllers, for example users_controller.php.

function beforeFilter() {
 parent::beforeFilter(); //This line inherits beforeFilter() from app_controller.php
 $this->Auth->deny('*'); //Disallow access to all actions
 $this->Auth->allow('register','logout'); //Allow access to register() and logout()
}

Using CakePHP Authorization

Add the following code to /app/app_controller.php beforeFilter(). Auth->authorize accepts four types, “controller”, “model”, “actions”, “crud”. See the CakePHP manual on Authorization for details.

 //Auth method. If set to controller,
 $this->Auth->authorize = 'controller';

If Auth->authorize is set to “controller”, you’ll need to add a method called isAuthorized() to your controller. This method allows you to do some more authentication checks and then return either true or false. In this case, we put isAuthorized() into our users_controller.php

function isAuthorized() {
 if( $this->action=='index' || $this->action=='view' || $this->action=='add' || $this->action=='edit' || $this->action=='delete') {
 if($this->Auth->user('group_id')==4)
 return true;
 }
 //Redirect to error notification page
 $this->Session->setFlash('Sorry, you don\'t have permission to access that page.');
 $this->redirect('/');
 return false;
}

Using CakePHP ACL (Access Control Lists)

This topic is a wee bit more complicated. I did not proceed using ACL because CakePHP’s Authorization was enough for my needs. ACL is a lot more flexible in granting and denying permissions. Granting and denying access to our users using ACL is quite complicated, fortunately somebody created a CakePHP ACL Management Plugin. It might still take a little while for CakePHP’s ACL to get easier to implement.