cakephp prevent admin to access front-end - cakephp

I am using cakephp 1.3.I want to prevent the admin to access the front-end action.
I am using croogo cms.Is there any configuration settings or anything else by which admin can't visit the front end ?
for example:
Suppose there is any controller named shop, and there are two actions 'buy' and 'detail':
class ShopController extends AppController {
....
....
function beforeFilter() {
$this->Auth->allow(array('detail'));
parent::beforeFilter();
}
function detail() {
$detail= $this->shop->find('first');
...
}
function buy() {
$buy= $this->shop->find('first');
...
}
}
Now when admin is login from admin-panel and comes on http://embidomain.com/shop/detail page he can visit this page but when he goes to shop/buy, then he will asked for login.

Related

How to disable authorization middleware in cakePHP4?

By default, the authorization plugin is apply to a global scope. For some controllers that I did not want to apply any authorization. I have to use the skipAuthorization config manually for each action. For authentication plugin, I can just only load the authentication component for each controller that requires authentication. However, the authorization middleware seems will always work even if I did not load the authorization component in the controller. So, why is that? And is there a way I can disable the authorization process for the entire controller?
You probably mean Authentication and not Authorization. In any case, from the Docs:
// in src/Controller/AppController.php
public function initialize()
{
parent::initialize();
$this->loadComponent('Authentication.Authentication');
}
By default the component will require an authenticated user for all
actions. You can disable this behavior in specific controllers using
allowUnauthenticated():
// in a controller beforeFilter or initialize // Make view and index not require a logged in user.
$this->Authentication->allowUnauthenticated(['view', 'index']);
More information: The Authentication plugin in the Cake Book.
I think you are not doing it in the right way. For authorization, you have to write a request policy. Whenever you bake controller just add --prefix Admin or whatever you want to.
cake bake controller Users --prefix Admin
Put all admin controllers in one place.
Add routes in your routes file
$builder->prefix('Admin',['_namePrefix' => 'admin:'], function (RouteBuilder $builder) {
$builder->connect('/', ['controller' => 'Users', 'action' => 'Index']);
$builder->fallbacks(DashedRoute::class);
});
`
Request Policy. Create a role table and add column role_id in the Users table and the rest you will understand with code below.
<?php
namespace App\Policy;
use Authorization\IdentityInterface;
use Authorization\Policy\RequestPolicyInterface;
use Cake\Http\ServerRequest;
class RequestPolicy implements RequestPolicyInterface
{
/**
* Method to check if the request can be accessed
*
* #param IdentityInterface|null Identity
* #param ServerRequest $request Server Request
* #return bool
*/
public function canAccess($identity, ServerRequest $request)
{
$role = 0;
if(!empty($identity)){
$data = $identity->getOriginalData();
$role = $data['role_id'];
}
if(!empty($request->getParam('prefix'))){
switch($request->getParam('prefix')){
case 'User' : return (bool)($role === 3);
case 'Admin': return (bool)($role === 1) || (bool)($role === 2);
}
}else{
return true;
}
return false;
}
}
`
and then implements AuthorizationServiceProviderInterface to the Application
use App\Policy\RequestPolicy;
use Authorization\AuthorizationServiceProviderInterface;
use Authorization\AuthorizationService;
use Authorization\Policy\MapResolver;
use Cake\Http\ServerRequest;
use Psr\Http\Message\ServerRequestInterface;
class Application extends BaseApplication implements AuthorizationServiceProviderInterface{
public function getAuthorizationService(ServerRequestInterface $request): AuthorizationServiceInterface
{
$mapResolver = new MapResolver();
$mapResolver->map(ServerRequest::class, RequestPolicy::class);
return new AuthorizationService($mapResolver);
}
}

Cakephp: AuthComponent Evaluation Order and how to redirect to an action

good day everyone, regarding auth component I am doing some tests to understand better the tool, in a probe of concept i want that an authenticated admin user be authorized to access any action, but if the authorized user has the "supervisor" role only be able to the actions index, view and edit in the "RequestsController.php", I am trying this approach:
1) allow everything for admin role and deny everything for anyone else in AppController.php.
2) Allow explicitly "supervisor" in "RequestsController.php" and deny any other role.
The doubt is that after some tests what happens is that if I authorize the admin user just in AppController.php the redirects only allows me to go to /webroot/, but If I allow the admin role in RequestsController.php. I can see requests without problem
IsAuthorize method in AppController
public function isAuthorized($user)
{
//privileges 1 means admin
if ($user['privileges']==1){
debug($user);
return true;
} else {
debug($user);
return false;
}
}
IsAuthorize method in Requests Controller
public function isAuthorized($user)
{
//privileges 9 means supervisor
if ($user['privileges']==9){
debug($user);
$action = $this->request->getParam('action');
if (in_array($action, ['index', 'view', 'edit'])) {
debug($user);
return true;
}
return false;
} else {
debug($user);
return false;
}
}
As I am not clear in the order that the isAuthorized function is handled, or why the redirect to the Request (even if it is "AppController.php" or "RequestsController.php") So this makes me think that I'll have to explicity authorize the admin role in all controllers
When using ControllerAuthorize, AuthComponent will call isAuthorized() method only on active controller. So, in your example, when requesting any action from RequestsController, only RequestsController::isAuthorized() will be called, disallowing access to users which has priviledge other than 9.
If you want to allow admin users to access as well, you should change your RequestsController::isAuthorized() as follows:
public function isAuthorized($user)
{
//privileges 9 means supervisor
if ($user['privileges']==9){
debug($user);
$action = $this->request->getParam('action');
if (in_array($action, ['index', 'view', 'edit'])) {
debug($user);
return true;
}
return false;
} else {
debug($user);
return parent::isAuthorized($user); //changed this line
}
}
Additional info: CakePHP 3.x AuthComponent - Authorization

CakePHP: login fails following a specific set of steps

I'm trying to set up a simple login system, but I'm having a particular problem that I can't solve. I have the following pages that perform self-explanatory actions. They are bookmarked for easy access.
cake/ (home page; must be logged in)
cake/login (must be logged in)
cake/logout (must be logged in)
cake/add (must be logged in)
All seems to work except when I preform the following sequence of actions:
1. log in
2. go to cake/logout to log out (login works immediately after this step)
3. go to cake/logout again immediately
4. attempt to log in but cake/login is just re-displayed and I'm not logged in
5. attempt to log in again and it is successful
I have noticed that $this->Session->flash('auth') is FALSE after step 3 but it is not false after 4. I tried destroying the session before or after logging out with no effect. Any ideas?
My code bits are below:
class UsersController extends AppController {
public function beforeFilter() {
parent::beforeFilter();
$this->Auth->allow('add');
}
public function add() {
if (!empty($this->data)) {
$this->User->create();
if ($this->User->save($this->data)) {
$this->Session->setFlash('User created!');
$this->redirect(array('action'=>'login'));
} else {
$this->Session->setFlash('Please correct the errors');
}
}
}
public function login() {
}
public function logout() {
$this->Session->destroy(); // makes no difference
$this->redirect($this->Auth->logout()); // redirected to login() by default
}
}
class AppController extends Controller {
public $components = array('Auth', 'Session');
}
I think that you are being redirected to the logout screen after your login.
When you go to a page you don't have access to (like the logout screen), you are redirected to login.
Once you enter name and password, you are taken back to your original request.
When that original request happens to be the logout page, logout occurs and you are sent back to the login.

change details before Cakephp Auth compontent reads the database

Does someone here know how to change the username before the Auth component reads the database?
The problem im having is im using mobile numbers as a login but i want to add the country code (if not present) when loggin in to my site
Any one have an idea on this?
Would be appreciated
If you are using CakePHP 2.0, you can manipulate the login form data as usual and then call $this->Auth->login(). Example:
// in your controller
public function login() {
if ($this->request->is('post')) {
$this->data['User']['username'] = $this->addCountryCode($this->data['User']['username']);
if ($this->Auth->login()) {
// login successful
} else {
// login not successful
}
}
}
you could always extend the Auth component and do whathever you want before the asking the database :)
Something like this...
function login($data = null,$public = false) {
$this->__setDefaults();
$this->_loggedIn = false;
if (empty($data)) {
$data = $this->data;
}
if (/** query the database to check/modify the data. You could use the identify() method of the AuthComponent **/) {
$this->Session->write($this->sessionKey, $user);
$this->_loggedIn = true;
}
return $this->_loggedIn;
}
If you extend the auth component, remember to always use this component instead of the default Auth class. (e.g. in the AppController, the build_acl, the initdb, the beforefilter on the controllers, etc.)
Hope this helps

CakePHP Facebook Plugin redirection problem

I have implemented Nick's Facebook Plugin.
Have Imported the Facebook Helper and Connect Component in the app_controller. Changed the Html accordingly.
app_controller.php
<?php
class AppController extends Controller {
var $components = array('Session', 'Facebook.Connect' => array('createUser' => false), 'Auth');
function beforeFilter() {
$this->Auth->allow('*');
$this->set('fbuser',$this->Connect->user());
}
function beforeFacebookSave() {
}
function beforeFacebookLogin($user) {
//Logic to happen before a facebook login
}
function afterFacebookLogin() {
//Logic to happen after successful facebook login.
}
}
?>
in the home.ctp
<?php
if($fbuser) {
echo $this->Facebook->logout();
debug($fbuser);
} else {
echo $this->Facebook->login();
}
?>
Once i click login and allow the permissions. it keeps refreshing indefinitely :(
My App settings online
Am on Windows Machine and access the code with this base http://localhost/spider/
i also set the canvas url as follows
I think its because of the configuration on the application settings online. Nick in the Video visits localhost.localdomain/websites/facebook_example to access the code. What is the need of the ".localdomain"
I had the same problem, and I found the answer here:
http://ardentdev.com/no-facebook-connect-cookies-for-localhost-development/
While doing some Facebook Connect development, I found that the expected cookies were not being set when developing on localhost. To fix the problem, I added localhost.local to my hosts file (pointing at 127.0.0.1) and changed the settings for my Facebook application to use localhost.local as the base domain.

Resources