Issue
So I have 4 different roles which in the Users table are foreign keys under the attribute "role_id". The Admin's role_id is equal to 1. I've been trying to block all users BUT the admin from accessing the admin pages, such as the Users' index page.
My AppController is as follows:
class AppController extends Controller
{
public function initialize()
{
parent::initialize();
$this->loadComponent('RequestHandler');
$this->loadComponent('Flash');
$this->loadComponent('Auth',[
'authorize' => 'Controller',
]);
$this->Auth->allow(['display', 'index', 'view', 'add']);
}
public function isAuthorized($user)
{
// Default deny
return false;
}
}
Then in the UsersController:
class UsersController extends AppController
{
public function initialize()
{
parent::initialize();
// Add logout to the allowed actions list.
$this->Auth->deny(['index', 'add', 'view']);
$this->Auth->allow(['register', 'forgetpw', 'resetpw', 'logout']);
}
public function isAuthorized($user)
{
if (in_array($this->request->action,['view', 'edit', 'index', 'add'])) {
return (bool)($user['role_id'] === '1');
}
return parent::isAuthorized($user);
}
}
Every user can access the views for 'register', 'forgetpw', 'resetpw' as stated to be allowed in the UsersController's initialize function. No user at the moment can access 'index', 'add', 'view' or 'edit', which should be accessible by the admin.
I'm thinking that if the authorization for UserController pages can be fixed, I can apply this for all the other Controllers.
Solution
Okay I think I've solved the issue.
return (bool)($user['role_id'] === '1');
should have been
return (bool)($user['role_id'] === 1);
Answered By - mistaq
Posts
0 Comments:
Post a Comment
Note: Only a member of this blog may post a comment.