Control the redirect when access denied by ACL in Cake

Question

I have implemented ACL (group-level only) in Cake 2.2.4 as follows:

Group.1 has access to controllers

Group.2 has access to controllers/recruiters

Group.3 has access to controllers/jobseekers

This all works fine, but the problem is when someone in Group.2 tries to access something in controllers/jobseekers the best I can do is show them a message via $this->Session->flash('auth') to tell them that they don't have access. This is ok to a certain extend because I have quite a lot of control over the Flash message, including being able to set the message and even customize the HTML generated via an element.

However, users of the app have complained that the same page simply refreshing with an error is counter-intuitive. This is primarily because the app needs to have the ability for one user to be in Group.2 and Group.3 in some cases, so the flash message needs to communicate to users how to 'upgrade' their account to be in both groups.

Because of this, is it felt that an immediate redirect to a new controller action with an 'account update' form on it would be more intuitive than a flash message with a link to the form or a flash message with (urgh) a form embedded in it (urgh again!)

The problem is I can't think of a way to redirect users

Answer 1

This has been solved in CakePHP 2.3 with the addition of AuthComponent::$unauthorizedRedirect

More info: http://book.cakephp.org/2.0/en/appendices/2-3-migration-guide.html#authcomponent