Reputation:
Cross controller security in CakePHP
I have the following situation: multiple views use a content editor that can upload files and retrieve a list of previous uploads via AJAX. I end up adding two actions to every controller for this. Instead, I want to have just one common single-purpose EditorController that handles the editor interactions for me.
The problem with this is access rights: I want the EditorController to check whether a request is coming from a valid source (that means a known action the current user has access to). In concrete terms, check that the request is coming from something like '/posts/edit/1' and that this is an action I am allowed to use.
Can this be done? What is a better way to achieve the same result? I currently have the functionality already packaged into a component I reuse. But I still repeat myself adding the same two actions to all my controllers.
Edit: From the comment below I was pointed to http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html#restricting-cross-controller-communication. The thing I want to achieve is very similar to SecurityComponent::$allowedControllers and SecurityComponent::$allowedActions, except that I would rather not explicitly whitelist the allowed controllers or actions, but rather have the access right inherited from the caller.
Upvotes: 0
Views: 426
Answers (1)
Reputation: 29007
Using the Security component might give you what you want;
http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html
[update] Although the security component checks if a form posted was a valid form, it does not check if the current user has permissions to access a controller/action.
For this you'll need to implement an authorisation system, in combination with access control. This can be a simple 'access' controll for certain actions ("is a user logged in?"), or a more granular aproach using access control lists (ACL).
The cakephp manual has some examples for both. I'll post some links:
Authentication http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html
Access Control Lists http://book.cakephp.org/2.0/en/core-libraries/components/access-control-lists.html
And a tutorial on both http://book.cakephp.org/2.0/en/tutorials-and-examples/blog-auth-example/auth.html http://book.cakephp.org/2.0/en/tutorials-and-examples/simple-acl-controlled-application/simple-acl-controlled-application.html
Upvotes: 1
Related Questions
- Cakephp3 Auth - allow some controllers to work without authoriziation
- Allow multiple controllers to users according to their role in cakephp
- CakePHP 3 : restrict access to whole controller without login
- CakePHP 3 - Sharing controller level logic between admin/non-admin controllers
- CakePHP: controllers are accessible even though they inherit from AuthenticatedController
- cakephp disable direct access to a controller
- Cakephp ACL restrict controllers
- CakePHP accessing other controllers
- Restrict External Access to Controller, but enable access from Model (CakePHP 2.X)
- CakePHP 1.2: How do I lock a given controller from access from anyone but admins?