CODEWITHSUNDEEP
cakephp
user3790914
user3790914

Reputation: 43

Deny admin routes for specific and not logged users

I have two groups id :

Group 1 => Admins

Group 2 => Users

I'm looking for a way to deny the access for the users which are not admin (so group 2 and not logged) . The function isAuthorized doesn't work, i mean it's always return true, i just don't know why . Thanks for your help

<?php

App::uses('Controller', 'Controller');

class AppController extends Controller {
    public $components = array(
        'Acl',
        'Auth' => array(
            'authorize' => array(
                'Actions' => array('actionPath' => 'controllers')
            )
        ),
        'Session'
    );

    public $helpers = array('Html', 'Form', 'Session');

    public function beforeFilter() {
        parent::beforeFilter();
        //Configure AuthComponent
        $this->Auth->loginAction = array('controller' => 'users', 'action' => 'login');
        $this->Auth->logoutRedirect = array('controller' => 'users', 'action' => 'login');
        $this->Auth->loginRedirect = array('controller' => 'pages', 'action' => 'home');

        if(isset($this->request->params["prefix"]) && $this->request->params["prefix"] == "admin"){
            $this->layout = "admin";
        } else {
            $this->layout = "default";
        }

    }

    public function isAuthorized() {
        parent::isAuthorized();
        if(isset($this->request->params["prefix"]) && $this->request->params["prefix"] == "admin" && $this->Auth->user('group_id') === 1){
            return true; 
        }
        else { 
            return false; 
        } 
    }

}

PagesController

<?php
class PagesController extends AppController {

/**
 * This controller does not use a model
 *
 * @var array
 */
    public $uses = array();

/**
 * Displays a view
 *
 * @param mixed What page to display
 * @return void
 * @throws NotFoundException When the view file could not be found
 *  or MissingViewException in debug mode.
 */

    public function beforeFilter() {
        parent::beforeFilter();
        $this->Auth->allow();
    }

    public function display() {
        $path = func_get_args();

        $count = count($path);
        if (!$count) {
            return $this->redirect('/');
        }
        $page = $subpage = $title_for_layout = null;

        if (!empty($path[0])) {
            $page = $path[0];
        }
        if (!empty($path[1])) {
            $subpage = $path[1];
        }
        if (!empty($path[$count - 1])) {
            $title_for_layout = Inflector::humanize($path[$count - 1]);
        }
        $this->set(compact('page', 'subpage', 'title_for_layout'));

        try {
            $this->render(implode('/', $path));
        } catch (MissingViewException $e) {
            if (Configure::read('debug')) {
                throw $e;
            }
            throw new NotFoundException();
        }
    }

    public function admin_index() {
        $title_for_layout = 'Dashboard';
        $this->set(compact('title_for_layout'));
    }

}

routes

 */
    Router::connect('/', array('controller' => 'pages', 'action' => 'display', 'home'));
/**
 * ...and connect the rest of 'Pages' controller's urls.
 */
    Router::connect('/pages/*', array('controller' => 'pages', 'action' => 'display'));
    Router::connect('/admin', array('controller' => 'pages', 'action' => 'index', 'admin' => true));

Upvotes: 0

Views: 1484

Answers (1)

Holt
Holt

Reputation: 37606

To auto add prefix from action like admin_ you need to add the following line in your core.php file:

Configure::write('Routing.prefixes', array('admin'));

Then, the action PagesController::admin_index is accessible by /admin/pages/index instead of /pages/admin_index and the admin param is set to true so you can check it using $this->params['admin'] (see my code bellow).

Actually, in CakePHP all routes are denied by default but you allow all routes in PagesController by doing $this->Auth->allow() in the beforeFilter, you need to add an exception for admin.

To do so, in your AppController:

<?php

class AppController {

    public $components = array(
        'Auth' => array(
            'loginAction' => array('controller' => 'users', 'action' => 'login');
            'loginRedirect' => array('controller' => 'pages', 'action' => 'home');
            'logoutRedirect' => array('controller' => 'users', 'action' => 'login');
            'authorize' => array('Controller'),
        )
    ) ;

    public beforeFilter() {
        parent::beforeFilter() ;
        // Allow everything to not logged user except admin pages
        if (isset($this->params["admin"]) 
            && $this->params["admin"]) {
            $this->Auth->deny() ;
        }
        else {
            $this->Auth->allow() ;
        }
    }

    public isAuthorized() {
        if (isset($this->params["admin"]) 
            && $this->params["admin"]) {
            return $this->Auth->user('group_id') === 1 ;
        }
        return parent::isAuthorized() ;
    }

} ;

Upvotes: 2

Related Questions