I have two types of users and right now i dont want to use ACL. With Auth Component i want to achieve the following
login() -> allows users to login and access the general part of the site
admin_login -> allows the admin to access the admin_{actions} part of the website.
When i do a Admin Login -> i want to check if group_id = 1 in the Users Module and only allow them to login to the admin section of the website.
function admin_login(){
$this->layout = 'admin_login';
if($this->request->is('post')) {
if($this->Auth->login()) {
$this->redirect($this->Auth->redirect());
} else {
$this->Session->setFlash(__('Invalid username and password, try again'));
}
}
}
How to check if the group_id = 1 when the user logs in ?
I would do something like this:
function admin_login(){
$this->layout = 'admin_login';
if($this->request->is('post')) {
if($this->Auth->login()) {
// If here because user is logged in
// Check to see if group_id is 1
if($this->Auth->user('group_id') == 1){
//$this->redirect($this->Auth->redirect());
$this->redirect('/admin/dashboards'); //Example
}else{
// In case a user tries to login thru admin_login
// You should log them in anyway and send them to where they belond
$this->redirect('/users/account');
}
} else {
$this->Session->setFlash(__('Invalid username and password, try again'));
}
}
}
Related
good day everyone, regarding auth component I am doing some tests to understand better the tool, in a probe of concept i want that an authenticated admin user be authorized to access any action, but if the authorized user has the "supervisor" role only be able to the actions index, view and edit in the "RequestsController.php", I am trying this approach:
1) allow everything for admin role and deny everything for anyone else in AppController.php.
2) Allow explicitly "supervisor" in "RequestsController.php" and deny any other role.
The doubt is that after some tests what happens is that if I authorize the admin user just in AppController.php the redirects only allows me to go to /webroot/, but If I allow the admin role in RequestsController.php. I can see requests without problem
IsAuthorize method in AppController
public function isAuthorized($user)
{
//privileges 1 means admin
if ($user['privileges']==1){
debug($user);
return true;
} else {
debug($user);
return false;
}
}
IsAuthorize method in Requests Controller
public function isAuthorized($user)
{
//privileges 9 means supervisor
if ($user['privileges']==9){
debug($user);
$action = $this->request->getParam('action');
if (in_array($action, ['index', 'view', 'edit'])) {
debug($user);
return true;
}
return false;
} else {
debug($user);
return false;
}
}
As I am not clear in the order that the isAuthorized function is handled, or why the redirect to the Request (even if it is "AppController.php" or "RequestsController.php") So this makes me think that I'll have to explicity authorize the admin role in all controllers
When using ControllerAuthorize, AuthComponent will call isAuthorized() method only on active controller. So, in your example, when requesting any action from RequestsController, only RequestsController::isAuthorized() will be called, disallowing access to users which has priviledge other than 9.
If you want to allow admin users to access as well, you should change your RequestsController::isAuthorized() as follows:
public function isAuthorized($user)
{
//privileges 9 means supervisor
if ($user['privileges']==9){
debug($user);
$action = $this->request->getParam('action');
if (in_array($action, ['index', 'view', 'edit'])) {
debug($user);
return true;
}
return false;
} else {
debug($user);
return parent::isAuthorized($user); //changed this line
}
}
Additional info: CakePHP 3.x AuthComponent - Authorization
I want to restrict users with role="ordinary" accessing other Controller views
example... I have add views under JobsController so
if current login user has a user role="ordinary" basically he or she cant proceed to that and it will prompt, you are restricted accessing that page.
and if current user login has a user role="admin" he or she can proceed
I have this code below under AppController.php
public function isAuthorized($user)
{
if (isset($user['role']) && $user['role'] === 'admin') {
return true;
}
if (isset($user['role']) && $user['role'] === 'ordinary') {
$allowedActions = ['index', 'logout', 'add'];
if(in_array($this->request->action, $allowedActions)) {
return true;
}
}
return false;
}
You can just put like this
<?php
if($this->request->session()->read('Auth.User.role') == 'admin'){
/// display the views
/// if current login user has admin role
}
else{
echo"You are not allowed to access this area";
}
?>
role must be present in users table field.
Hope it help your problem
This is my problem: I have a admin area and I protect it by a login with name and password .
When I type the url I mean something like that localhost/admin/area it redirect to localhost/user/admin
The problem is if I type a wrong address like localhost/admin/545It toke me to the admin area and an error in ControllerThis is my code:
AppController:
function beforeFilter()
{
$this->Auth->loginAction = array('controller'=>'users','action'=>'login','admin'=>false);
$this->Auth->authorize = array('Controller');
if(!isset($this->request->params['prefix']))
{
$this->Auth->allow();
}
if(isset($this->request->params['prefix']) && $this->request->params['prefix'] == 'admin')
{
$this->layout = 'admin';
}
}
function isAuthorized($user)
{
if(!isset($this->request->params['prefix']))
{
return true;
}
}
menu:
<?php
$pages = $this->requestAction(array('controller'=>'pages','action'=>'menu','admin'=>false)); ?>
<img class="title" src="/img/title.png" alt="studio">
<ul class="menu">
<?php foreach($pages as $k => $v): $v = current($v);?>
and the rest of code is:
function for login:
function login()
{
if ($this->request->is('post'))
{
if ($this->Auth->login())
{
return $this->redirect($this->Auth->redirect());
} else {
$this->Session->setFlash("Votre login ou votre mot de passe ne correspond pas");
}
}
}
I think you may be getting confused on the URLs in CakePHP. Here I will cover how they work. I will assume that you have admin routing turned on.
localhost/admin/area
This url is saying take me to the admin_index method in the area controller.
localhost/admin/545
This url is saying take me to the admin_index method in the 545 controller.
If the controller does not exist, you are going to get an area. If you are trying to get to a specific user_id, you may be looking for:
localhost/admin/user/view/545
This will attempt to route the user to the admin_view method in the user controller and pass the 545 user_id. If the user does not have permission to view this, they will be redirected to the login.
I'm having trouble hashing out how to test whether a user is active using the new Auth component. I have 3 states a user can be in: 0 unactivated (default), 1 activated, 2 deactivated. I'm trying to implement this in the login function so I can return whether they haven't registered or have been banned.
Login:
public function login() {
if ($this->request->is('post')) {
if($this->Auth->login()) {
$results = $this->User->find('all', array(
'conditions' => array('User.email' => $this->Auth->user('email')),
'fields' => array('User.is_active')
));
if ($results['User']['is_active'] == 0) {
// User has not confirmed account
$this->Session->setFlash('Your account has not been activated. Please check your email.');
$this->Auth->logout();
$this->redirect(array('action'=>'login'));
}
// not working atm
else if ($results['User']['is_active'] == 2) {
// User has been deactivated
$this->Session->setFlash('Your account has been deactivated. Contact site admin if you believe this is in error.');
$this->Auth->logout();
$this->redirect(array('action'=>'login'));
}
else if ($results['User']['is_active'] == 1) {
// User is active
$this->redirect($this->Auth->redirect());
}
} else {
$this->Session->setFlash(__('Your email/password combination was incorrect'));
}
}
}
Can't see where I've gone wrong. Users with admin privileges and activated users are still getting the unactivated account error.
Update
Decided to drop the User.is_active field and handle it all in roles. I'm handling it in the AppController and it is almost working now. In the isAuthorized function, it now throws errors if the user is banned or unactivated, but I need it to log them out as well.
public function isAuthorized($user) {
// This isAuthorized determines what logged in users are able to see on ALL controllers. Use controller
// by controller isAuthorized to limit what they can view on each one. Basically, you do not want to allow
// actions on all controllers for users. Only admins can access every controller.
if (isset($user['role']) && $user['role'] === 'admin') {
return true; //Admin can access every action
}
elseif (isset($user['role']) && $user['role'] === 'unactivated') { // Account has not been activated
$this->Session->setFlash("You haven't activated your account yet. Please check your email.");
return false;
}
elseif (isset($user['role']) && $user['role'] === 'banned') { // Your account has been banned
$this->Session->setFlash("You're account has been banned. If you feel this was an error, please contact the site administrator.");
return false;
}
return false; // The rest don't
}
If they log in, the User model info can be accessed with $this->Auth->user(). So you should be able to do something like this:
if ($this->Auth->login()) {
if ($this->Auth->user('is_active') == 0) {
// User has not confirmed account
} else if ($this->Auth->user('is_active') == 1) {
// User is active
// and so on
You can use debug($this->Auth->user()); after the login() to see why the users keep showing as unactivated.
Now, in year 2021, for CakePHP 4.x this is the correct approach:
if ( $result->isValid() ) {
if ( $this->getRequest()->getAttribute('identity')->is_active ) {
// The user is active and can log in
} else {
// The user is not active - reject the log in
}
}
i am looking for a way how i (logged in as Administrator) can log me in as a specific user (that i select from a list of users, list is already present) onclick without knowing it's password?
All users have different passwords, so equal passwords are not an option.
OK, Question closed. Here is the solution:
P.S. group with id 2 is my Admin Group.
function loginasuser($user_id = null) {
if (!$user_id) {
$this->Session->setFlash(__('Invalid User.', true));
$this->redirect(array('action'=>'index'));
}
$data = $this->Auth->user();
if($data['User']['group_id'] == 2 || $_SESSION['Auth']['Admin']['id']==$user_id) {
$user_data = $this->User->find('first', array('conditions' => array('User.id' => $user_id)));
if ($user_data['User']['group_id']==2 && $user_data['User']['id']<>$_SESSION['Auth']['Admin']['id']) {
$this->Session->setFlash(__('You can only log in as user', true));
$this->redirect($this->Auth->redirect('/users'));
}
$_SESSION['Auth']['User']['id']=$user_data['User']['id'];
$_SESSION['Auth']['User']['username']=$user_data['User']['username'];
$_SESSION['Auth']['User']['group_id']=$user_data['User']['group_id'];
$_SESSION['Auth']['User']['client_id']=$user_data['User']['client_id'];
$_SESSION['Auth']['User']['created']=$user_data['User']['created'];
$_SESSION['Auth']['User']['modified']=$user_data['User']['modified'];
$_SESSION['Auth']['Admin']['id']=$data['User']['id'];
if($_SESSION['Auth']['User']['group_id']==2) {
$this->redirect($this->Auth->redirect('/ADMINHOME'));
}
else {
$this->redirect($this->Auth->redirect('/USERSHOME'));
}
}
else {
$this->Session->setFlash(__('Only admins are alowed to do so!', true));
$this->redirect(array('action'=>'index'));
}
}
And to go back as admin, you could do:
<? if($_SESSION['Auth']['Admin']['id']>0) { ?>
Go Back as Admin<? }
You can use "username" (email Id) to create session.
On Onclick , trigger an Ajax call, pass the username and set the session using that username.
(Just trigger this call when admin change the selection box, onChange(this.value))
Then just redirect user to end user home page. Put a link to come back to admin dashboard. This helps admin can login as other user.
(Use different session namespace for admin and end user)
$_SESSION['user'] for end user and $_SESSIION['admin'] for admin user.