CakePHP Authentication, Authorization and ACL

August 19th, 2009

What’s the difference between Authentication and Authorization?

These two terms are quite often misunderstood. Let’s put it this way, suppose you work in a 100-story office building, each floor has different offices of other companies. You are working on the 49th Floor, cubicle number 20. Authentication is when the security personnel at the building’s front door allows you to come in. Authorization on the other hand, is when you have permission to get to your cubicle, log in to your computer and perform the tasks that you are permitted to do.

So being Authenticated does not automatically mean Authorized, but being Authorized would have to mean you are Authenticated.

Using Basic CakePHP Authentication

The first step is to include the Auth component in your controller. If you are going to use Auth for the whole site, you would want to put this in your /app/app_controller.php.

class AppController extends Controller {
 var $components = array('Auth');
 
 function beforeFilter() {
 //Configure Auth settings
 $this->Auth->loginError = "No, you fool! That's not the right password!";
 $this->Auth->authError = "Please sign in.";
 
 //$this->Auth->loginAction = array('controller' => 'users', 'action' => 'login');
 //$this->Auth->loginRedirect = array('controller' => 'users', 'action' => 'login');
 //$this->Auth->logoutRedirect = array('controller' => 'users', 'action' => 'login');
 
 if($this->Auth->user()) {
 //Our user is logged in.
 //User data is stored in $this->Session->read('Auth');
 }
}

Then in your controllers, for example users_controller.php.

function beforeFilter() {
 parent::beforeFilter(); //This line inherits beforeFilter() from app_controller.php
 $this->Auth->deny('*'); //Disallow access to all actions
 $this->Auth->allow('register','logout'); //Allow access to register() and logout()
}

Using CakePHP Authorization

Add the following code to /app/app_controller.php beforeFilter(). Auth->authorize accepts four types, “controller”, “model”, “actions”, “crud”. See the CakePHP manual on Authorization for details.

 //Auth method. If set to controller,
 $this->Auth->authorize = 'controller';

If Auth->authorize is set to “controller”, you’ll need to add a method called isAuthorized() to your controller. This method allows you to do some more authentication checks and then return either true or false. In this case, we put isAuthorized() into our users_controller.php

function isAuthorized() {
 if( $this->action=='index' || $this->action=='view' || $this->action=='add' || $this->action=='edit' || $this->action=='delete') {
 if($this->Auth->user('group_id')==4)
 return true;
 }
 //Redirect to error notification page
 $this->Session->setFlash('Sorry, you don\'t have permission to access that page.');
 $this->redirect('/');
 return false;
}

Using CakePHP ACL (Access Control Lists)

This topic is a wee bit more complicated. I did not proceed using ACL because CakePHP’s Authorization was enough for my needs. ACL is a lot more flexible in granting and denying permissions. Granting and denying access to our users using ACL is quite complicated, fortunately somebody created a CakePHP ACL Management Plugin. It might still take a little while for CakePHP’s ACL to get easier to implement.

CakePHP cookies not being written when localhost is used as domain

April 22nd, 2009

I just burned 4 hours of my time trying to figure out why CakePHP wouldn’t write cookies.

Apparently there is a known problem with using $this->Cookie->domain = ‘localhost’ , thanks to Flxr from the IRC for pointing that out.

After making a virtual domain for the site, it worked wonderfuly!

Pulling in Wordpress Content in your CakePHP Website

November 21st, 2008

Integrating your Wordpress posts into your CakePHP website is easy.

WebDevKungFu has an excellent post, just follow the step by step instruction. Read the rest of this entry »