cakephp acl aros_acos paradox

Question

I'm trying to implement an authentication/authorization combo into my cakePHP site using Auth and Acl Components, but something odd is happening with my implementation. I've got the right acos, aros and aros_acos tables, and they seem to work at some level.

I have mapped my actions like this:

$this->Auth->mapActions(array('read' => array('view'), 'update' => array('edit')));

My acos table looks like this:

• 1. Site
• 1.1 Pages
• 1.2 Users
• 1.3 Groups
• 1.4 Admin

and aros table:

• 1. users
• 1.1 editors
• 1.1.1 admins
• 1.1.1.1 admin_name
• 1.2 regular_user

Users, editors and admins are groups. Admin_name is an admin user, member of the admins group, and regular_user is a member of the users group.

Now, in the aros_acos table, if I give 'users' group the CRUD rights for a 'page' like this: 0 1 1 0 (which gives them the right to read and update) then everything works fine (at least for the 'view' and 'edit' actions). But if I put 0 1 0 0 (only the right to read) then I get redirected to '/', and one particular thing that I have noticed is that it doesn't call the app_controller or at least the beforeFilter() function in the app_controller.

Moreover, I've written the beforeFilter() so that when a user does not have access to a crud, to give him a $this->flash message, letting him know that he is "not authorized" (I had to do this, as $this->Auth->authError doesn't seem to work). So, with that in mind, I now rewrite the aros_acos table for the users group like this: 0 0 1 0 ( permission only to update ) and this time I get the flash message when I access the 'view' action (which is correct since I don't have the permission to access it), but I also get the flash message when I try to access the 'edit' action.

I'm missing something, and I don't know what. I've written this question, hoping that before finishing it, I would come up with the solution myself...but no luck. I still don't know what is happening, I guess it is some controller thing...Have you got any ideas ?

Answer 1

Thought 1 -> Somewhere in the view page, do you have a requestAction to another page by chance? It might come from a view page or an element on a view page.

Thought 2 -> Build out your complete mapActions. This might not be an issue, but it's good to start here.

$this->Auth->mapActions(array(
'read'=>array('index','view','admin_index'),
'create'=>array('add','admin_add'),
'update'=>array('edit','admin_edit'),
'delete'=>array('delete','admin_delete')));

Don't be afraid to trace the code all the way to the Auth Component if necessary. Just pr() until you find where it's redirecting. Figure out specifically what is causing the problem.

Be sure your session is correct and doesn't get changed in the process.

Thought 3 -> Do you "rebuild" the acl tables properly? It may be a data issue. I would suggest that you use the createAco(), createAro(), and $this->Acl->allow() functions to be sure the data is correct and all the keys are correct. (never hurts to check)

This is one of those issues where you have to go step by step and trace through the app. I'm using the current stable CakePHP and haven't found any issues.