Hi,
I've the blog tutorial and am working on my own app, an event booking
system, which has user registration with two user roles - unsurprisingly
called 'user' and 'admin'. :)
I want 'users' to be able to change their own details and book on an event,
and 'admins' to be able to do the usual adminy things.
Authentication is working okay, but I can't get the authorisation element
to work, using isAuthorized($user). If I log in as a non-admin user, I can
still access the admin functions (by directly typing in the URL), all of
which are prefixed with 'admin_'
I've looked all over this forum and beyond, but I can't find a solution.
Can anyone please take a look at my code and see where I might be going
wrong? It's starting to drive me mad and I'm thinking of just sticking a
simple 'is the user an admin?' within each and every admin function.
I've tried it with and without *Configure::write('Routing.prefixes',
array('admin')); *in my app's *core.php*
(I've edited out non-relevent code for brevity)
*AppController.php*
*App::uses('Controller', 'Controller'); class AppController extends
Controller { public $components = array( 'Session','Auth' =>
array('loginRedirect' => array('controller' => 'users',
'action' => 'dashboard'),'logoutRedirect' => array('controller'
=> 'pages', 'action' => 'home'), 'authError' => 'You must be logged in to
view this page.', 'loginError' => 'Invalid username or password entered,
please try again.', 'authenticate' => array( 'Form' =>
array('passwordHasher' => 'Blowfish', array('fields' => array('username' =>
'email', 'authorize' => array('Controller') )); pages that can
be viewed without being logged in public function beforeFilter() {
$this->Auth->allow('login','index','add','home');} check to see
logged-in user is an admin public function isAuthorized($user) {//
Any registered user can access public functionsif
(empty($this->request->params['admin'])) {return true;
}// Only admins can access admin functionsif
(isset($this->request->params['admin'])) {return
(bool)($user['role'] === 'admin');}// Default deny
return false;}}*
*UsersController.php*
*App::uses('AppController', 'Controller');class UsersController extends
AppController {public $helpers = array('Html', 'Form', 'Session');
public $components = array('Session'); public function beforeFilter()
{parent::beforeFilter();
$this->Auth->allow('login','index');} public function login() { //
if we get the post information, try to authenticate if
($this->request->is('post')) { if ($this->Auth->login()) {
$this->Session->setFlash(__('Welcome, '. $this->Auth->user('fullname')));
$this->redirect($this->Auth->redirectUrl()); } else {
$this->Session->setFlash(__('Invalid username or password')); } } }
public function dashboard() { code for dashboard stuff}
/ all the other code.}*
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
