Install the plugin with composer from your CakePHP Project’s ROOT directory (where the composer.json file is located)
php composer.phar require "cakephp/authorization:^3.0"
Version 3 of the Authorization Plugin is compatible with CakePHP 5.
Load the plugin by adding the following statement in your project’s
src/Application.php
:
$this->addPlugin('Authorization');
The Authorization plugin integrates into your application as a middleware layer and optionally a component to make checking authorization easier. First, lets apply the middleware. In src/Application.php add the following to the class imports:
use Authorization\AuthorizationService;
use Authorization\AuthorizationServiceInterface;
use Authorization\AuthorizationServiceProviderInterface;
use Authorization\Middleware\AuthorizationMiddleware;
use Authorization\Policy\OrmResolver;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
Add the AuthorizationServiceProviderInterface
to the implemented interfaces
on your application:
class Application extends BaseApplication implements AuthorizationServiceProviderInterface
Then make your application’s middleware()
method look like:
public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
{
// Middleware provided by CakePHP
$middlewareQueue->add(new ErrorHandlerMiddleware(Configure::read('Error')))
->add(new AssetMiddleware())
->add(new RoutingMiddleware($this))
->add(new BodyParserMiddleware())
// If you are using Authentication it should be *before* Authorization.
->add(new AuthenticationMiddleware($this))
// Add the AuthorizationMiddleware *after* routing, body parser
// and authentication middleware.
->add(new AuthorizationMiddleware($this));
return $middlewareQueue();
}
The placement of the AuthorizationMiddleware
is important and must be added
after your authentication middleware. This ensures that the request has an
identity
which can be used for authorization checks.
The AuthorizationMiddleware
will call a hook method on your application when
it starts handling the request. This hook method allows your application to
define the AuthorizationService
it wants to use. Add the following method your
src/Application.php:
public function getAuthorizationService(ServerRequestInterface $request): AuthorizationServiceInterface
{
$resolver = new OrmResolver();
return new AuthorizationService($resolver);
}
This configures basic Policy Resolvers that will match ORM entities with their policy classes.
Next, lets add the AuthorizationComponent
to AppController
. In
src/Controller/AppController.php add the following to the initialize()
method:
$this->loadComponent('Authorization.Authorization');
By loading the AuthorizationComponent we’ll be able to check authorization on a per-action basis more easily. For example, we can do:
public function edit($id = null)
{
$article = $this->Article->get($id);
$this->Authorization->authorize($article, 'update');
// Rest of action
}
By calling authorize
we can use our Policies to enforce our
application’s access control rules. You can check permissions anywhere by using
the identity stored in the request.