Re: Acl - inconsistent behaviour when accessing an unauthorised url

2010-04-14 Thread Tonu Tusk 
Hi there, just bumping this - I would have thought that someone may
have some insight into an important core
part of the framework misbehaving?

On Apr 12, 9:31 am, Tonu Tusk  wrote:
> Hi guys, I have had problems with this in the past (with a workable
> hack which might break things in the future)
>
> Basically, I have the following scenario. I have Auth and Acl setup as
> in the tutorial (actions based authentication)
>
> now if I have an authenticated user but who has restricted access to a
> url "mysite.com/restricted/page"
>
> I get a variety of behaviours based on how I access the page.
>
> If I try to access the page whilst not logged on and then logging on,
> I get a redirect, If I am logged on and directly enter the url (no
> referer) I get redirected to home ('/') and if I try to access the
> restricted page via a link in an accessible page in the app, nothing
> happens (well obviously cake is restricting access and then
> redirecting me to the referer which is the page I am already on)
>
> Ideally, I would like the option o being able to be redirected to an
> "unauthorised notification" page if I chose, but I want to be able to
> catch all of the above occurrences without hacking auth.php
>
> My simple solution is just to implement AppController::referer() to
> always return my unauthorised notification page - the cirucmstances I
> have found out of the box that result in it being used for a
> redirection meet my criteria, but this is obviously flaky testing, and
> also then restricts the possibility of me using referer for anything
> else in the app in the future.
>
> The second solution (currently) is adding extra logic to the login
> function (to catch some special case redirections), moving the
> authentication type to "controller" and implementing AppController
> isAuthorized() to basically manually pass the current data through to
> Acl::Check, but in the process, internally flagging up if an
> unauthorized page has been requested and no page had yet been rendered
> as a result of any redirects, and then using this flag in the
> implemented referer method to try and retain referer's standard
> behaviour wherever possible.
>
> This just seems really long winded, and as noted before, is going to
> be a nightmare to test for all possible scenarios of the use of app.
>
> Surely with the imminent release of 1.3 there should not have to be
> workarounds for such a fundamental component, or am I missing
> something?

Check out the new CakePHP Questions site http://cakeqs.org and help others with 
their CakePHP related questions.

You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en

To unsubscribe, reply using "remove me" as the subject.

Acl - inconsistent behaviour when accessing an unauthorised url

2010-04-12 Thread Tonu Tusk 
Hi guys, I have had problems with this in the past (with a workable
hack which might break things in the future)

Basically, I have the following scenario. I have Auth and Acl setup as
in the tutorial (actions based authentication)

now if I have an authenticated user but who has restricted access to a
url "mysite.com/restricted/page"

I get a variety of behaviours based on how I access the page.

If I try to access the page whilst not logged on and then logging on,
I get a redirect, If I am logged on and directly enter the url (no
referer) I get redirected to home ('/') and if I try to access the
restricted page via a link in an accessible page in the app, nothing
happens (well obviously cake is restricting access and then
redirecting me to the referer which is the page I am already on)

Ideally, I would like the option o being able to be redirected to an
"unauthorised notification" page if I chose, but I want to be able to
catch all of the above occurrences without hacking auth.php

My simple solution is just to implement AppController::referer() to
always return my unauthorised notification page - the cirucmstances I
have found out of the box that result in it being used for a
redirection meet my criteria, but this is obviously flaky testing, and
also then restricts the possibility of me using referer for anything
else in the app in the future.

The second solution (currently) is adding extra logic to the login
function (to catch some special case redirections), moving the
authentication type to "controller" and implementing AppController
isAuthorized() to basically manually pass the current data through to
Acl::Check, but in the process, internally flagging up if an
unauthorized page has been requested and no page had yet been rendered
as a result of any redirects, and then using this flag in the
implemented referer method to try and retain referer's standard
behaviour wherever possible.

This just seems really long winded, and as noted before, is going to
be a nightmare to test for all possible scenarios of the use of app.

Surely with the imminent release of 1.3 there should not have to be
workarounds for such a fundamental component, or am I missing
something?

Check out the new CakePHP Questions site http://cakeqs.org and help others with 
their CakePHP related questions.

You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en

To unsubscribe, reply using "remove me" as the subject.