| # |
Apr 23rd 2021, 15:28 |
 admad |
cakedc/auth plugin provided a policy for the authoz plugin for RBAC |
| # |
Apr 23rd 2021, 15:25 |
tyler.adam.lazenby |
The irony that the last discussion was about authroization is not lost on me btw |
| # |
Apr 23rd 2021, 15:23 |
tyler.adam.lazenby |
I usually on other methods have it check a single entity and make sure that the user that is trying to request the action is authorized by using a policy. ```$this->Authorization->authorize($entity, 'actionAlias');``` |
| # |
Apr 23rd 2021, 15:22 |
tyler.adam.lazenby |
What is the best way to use the Authorization plugin to limit if somebody can use the index method? I am trying to limit it to roles that are at the administrative level. |
| # |
Apr 23rd 2021, 13:44 |
ndm |
*cricket noises* |
| # |
Apr 23rd 2021, 13:27 |
mainanthem |
Hello ! |
| # |
Apr 23rd 2021, 12:37 |
admad |
doh |
| # |
Apr 23rd 2021, 12:29 |
greg138 |
GROUPS is also reserved as of 8.0.2 https://dev.mysql.com/doc/refman/8.0/en/keywords.html |
| # |
Apr 23rd 2021, 11:58 |
kevin.pfeifer |
ah, i see |
| # |
Apr 23rd 2021, 11:38 |
ndm |
The other way around, no check on POST as the controller action will not actually run because of PRG of the search component. |
| # |
Apr 23rd 2021, 11:37 |
kevin.pfeifer |
as i understand the problem (to summerize) You have a index function which should have a authorization check on GET but should have a authorization check on POST, right? |
| # |
Apr 23rd 2021, 11:35 |
paolo.bragagni |
or pherhaps I dont understand.. :) |
| # |
Apr 23rd 2021, 11:34 |
paolo.bragagni |
the best for me seems to skipAuthorization when I'll go in production |
| # |
Apr 23rd 2021, 11:33 |
paolo.bragagni |
at least It seems to me :S |
| # |
Apr 23rd 2021, 11:32 |
paolo.bragagni |
@ndm yes I've understand your explaination |
| # |
Apr 23rd 2021, 11:32 |
steinkel |
search is posting to another action then... check @ndm answer |
| # |
Apr 23rd 2021, 11:32 |
ndm |
@paolo.bragagni But you did understand my explanation, didn't you? |
| # |
Apr 23rd 2021, 11:31 |
paolo.bragagni |
when search is fired I have the 'error' and it doesnt go in index() |
| # |
Apr 23rd 2021, 11:30 |
steinkel |
then call `->authorize` in the index action |
| # |
Apr 23rd 2021, 11:30 |
paolo.bragagni |
(authorization) |
| # |
Apr 23rd 2021, 11:30 |
paolo.bragagni |
I dont want to skip auth when I search in index |
| # |
Apr 23rd 2021, 11:30 |
paolo.bragagni |
I need use authorization but Id like that search in index require authorization |
| # |
Apr 23rd 2021, 11:29 |
steinkel |
the exception is there to remind you need to do this or this action could be accessed for any authenticated user |
| # |
Apr 23rd 2021, 11:28 |
steinkel |
@paolo.bragagni if you use Authorization, you need to call at least once to either `->authorize OR ->skipAuthorization` |
| # |
Apr 23rd 2021, 11:27 |
steinkel |
sounds right to me |
| # |
Apr 23rd 2021, 11:27 |
kevin.pfeifer |
or am I wrong? ,:) |
| # |
Apr 23rd 2021, 11:23 |
kevin.pfeifer |
so `skipAuthorization` just tells the plugin that there is no authorization needed for this function |
| # |
Apr 23rd 2021, 11:20 |
kevin.pfeifer |
authentication => who are you? authorization => i know who you are, but are you allowed to do X? |
| # |
Apr 23rd 2021, 11:19 |
kevin.pfeifer |
its just that sometimes people mix up authentication and authorization |
| # |
Apr 23rd 2021, 11:19 |
kevin.pfeifer |
as I understand it `skipAuthorization` just doesn't require the `->authorizte($entity)` function to be called in that function Authentication (which is not the same as authorization) is still required |
| # |
Apr 23rd 2021, 11:16 |
paolo.bragagni |
not really the better idea of the world to call it '"skipping authorization" :) |
| # |
Apr 23rd 2021, 11:16 |
paolo.bragagni |
hahaha yes |
| # |
Apr 23rd 2021, 11:16 |
paolo.bragagni |
So probably is better to inssert "skipping authorization" |
| # |
Apr 23rd 2021, 11:16 |
ndm |
The naming is really not great. |
| # |
Apr 23rd 2021, 11:15 |
ndm |
Note that there is no security issue, "skipping authorization" will not actually skip any authoriaztion checks that are actually being performed, it's just a flag that will prevent the error that tells you about no authorization checks having been applied. |
| # |
Apr 23rd 2021, 11:14 |
paolo.bragagni |
hummmm |
| # |
Apr 23rd 2021, 11:14 |
ndm |
@paolo.bragagni That's exactly the point, you skip it on POST, which is when the component will do the redirect, ie when your controller action code will actually _not_ run. It's still a somewhat fragile construct, but without changes in the plugin, there's not too much that can be done. |
| # |
Apr 23rd 2021, 11:09 |
paolo.bragagni |
@ndm but in this way I skip auth when I post to index. I sdont think is the best way to act for security... :S |
| # |
Apr 23rd 2021, 11:01 |
st.steinkuehler |
Does anyone have experience with Web Components and CakePHP? Detailed question here: https://discourse.cakephp.org/t/web-components-cakephp/9280 - Thanks. |
| # |
Apr 23rd 2021, 11:01 |
slackebot |
component triggers the redirect. |
| # |
Apr 23rd 2021, 11:01 |
slackebot |
eg: ```public function beforeFilter(\Cake\Event\EventInterface $event) { parent::beforeFilter($event); if ( $this->request->getParam('action') === 'index' andand $this->request->is('post') ) { $this->Authorization->skipAuthorization(); } }``` I guess an event or a callback for the search component might be useful here, so that one could hook in there and be sure authorization is really only skipped when the |