The AuthorizationComponent
exposes a few conventions based helper methods for
checking permissions from your controllers. It abstracts getting the user and
calling the can
or applyScope
methods. Using the AuthorizationComponent
requires use of the Middleware, so make sure it is applied as well. To use the
component, first load it:
// In your AppController
public function initialize()
{
parent::initialize();
$this->loadComponent('Authorization.Authorization');
}
AuthorizationComponent
can be configured to automatically apply
authorization based on the controller’s default model class and current action
name. In the following example index
and add
actions will be authorized:
$this->Authorization->authorizeModel('index', 'add');
You can also configure actions to skip authorization. This will make actions public,
accessible to all users. By default all actions require authorization and
AuthorizationRequiredException
will be thrown if authorization checking is enabled.
Authorization can be skipped for individual actions:
$this->loadComponent('Authorization.Authorization', [
'skipAuthorization' => [
'login',
]
]);
In your controller actions or callback methods you can check authorization using the component:
// In the Articles Controller.
public function edit($id)
{
$article = $this->Articles->get($id);
$this->Authorization->authorize($article);
// Rest of the edit method.
}
Above we see an article being authorized for the current user. Since we haven’t
specified the action to check the request’s action
is used. You can specify
a policy action with the second parameter:
// Use a policy method that doesn't match the current controller action.
$this->Authorization->authorize($article, 'update');
The authorize()
method will raise an Authorization\Exception\ForbiddenException
when permission is denied. If you want to check authorization and get a boolean
result you can use the can()
method:
if ($this->Authorization->can($article, 'update')) {
// Do something to the article.
}
Some resources in your application may be accessible to users who are not logged
in. Whether or not a resource can be accessed by an un-authenticated
user is in the domain of policies. Through the component you can check
authorization for anonymous users. Both the can()
and authorize()
support
anonymous users. Your policies can expect to get null
for the ‘user’ parameter
when the user is not logged in.
You can also apply policy scopes using the component:
$query = $this->Authorization->applyScope($this->Articles->find());
If you want to map actions to different authorization methods use the
actionMap
option:
// In you controller initialize() method:
$this->Authorization->mapActions([
'index' => 'list',
'delete' => 'remove',
'add' => 'insert',
]);
// or map actions individually.
$this->Authorization
->mapAction('index','list')
->mapAction('delete', 'remove')
->mapAction('add', 'insert');
Example:
//ArticlesController.php
public function index()
{
$query = $this->Articles->find();
//this will apply `list` scope while being called in `index` controller action.
$this->Authorization->applyScope($query);
...
}
public function delete($id)
{
$article = $this->Articles->get($id);
//this will authorize against `remove` entity action while being called in `delete` controller action.
$this->Authorization->authorize($article);
...
}
public function add()
{
//this will authorize against `insert` model action while being called in `add` controller action.
$this->Authorization->authorizeModel();
...
}
Authorization can also be skipped inside an action:
//ArticlesController.php
public function view($id)
{
$this->Authorization->skipAuthorization();
...
}