# |
Apr 23rd 2021, 15:43 |
tyler.adam.lazenby |
the issue with the first method is that I can't seem to figure out why when I pass a result set that it throws this error `Policy for Cake\ORM\ResultSet has not been defined.` |
# |
Apr 23rd 2021, 15:33 |
slackebot |
middleware ( https://book.cakephp.org/authorization/2/en/request-authorization-middleware.html ), or by manually checking the request in your controller, like `$this->Authorization->can($this->request, 'access')`. |
# |
Apr 23rd 2021, 15:33 |
ndm |
The plugin basically does what you could/would do manually. Generally you basically have two options, you can either use the authorization component's action handling (personally I'm not really a fan of it), which would invoke `can%Action%` on the controller's default model, for example `UserPolicy::canIndex()`, or you can use a request policy (that's what cakedc/auth does), either combined with the request authorization |
# |
Apr 23rd 2021, 15:31 |
tyler.adam.lazenby |
Just was wondering people's opinions. But I guess that your opinion to use that plugin is just as valid. |
# |
Apr 23rd 2021, 15:30 |
tyler.adam.lazenby |
I am pretty far into the project and I am not familiar enough with the cakedc/auth plugin to want to impliment it into this one. BUT i will be using it from here on out, because I know it will make things easier |
# |
Apr 23rd 2021, 15:30 |
tyler.adam.lazenby |
I am guessing role based access control? |
# |
Apr 23rd 2021, 15:29 |
tyler.adam.lazenby |
??? I am not sure what those letters mean |
# |
Apr 23rd 2021, 15:28 |
admad |
cakedc/auth plugin provided a policy for the authoz plugin for RBAC |
# |
Apr 23rd 2021, 15:25 |
tyler.adam.lazenby |
The irony that the last discussion was about authroization is not lost on me btw |
# |
Apr 23rd 2021, 15:23 |
tyler.adam.lazenby |
I usually on other methods have it check a single entity and make sure that the user that is trying to request the action is authorized by using a policy. ```$this->Authorization->authorize($entity, 'actionAlias');``` |
# |
Apr 23rd 2021, 15:22 |
tyler.adam.lazenby |
What is the best way to use the Authorization plugin to limit if somebody can use the index method? I am trying to limit it to roles that are at the administrative level. |
# |
Apr 23rd 2021, 13:44 |
ndm |
*cricket noises* |
# |
Apr 23rd 2021, 13:27 |
mainanthem |
Hello ! |
# |
Apr 23rd 2021, 12:37 |
admad |
doh |
# |
Apr 23rd 2021, 12:29 |
greg138 |
GROUPS is also reserved as of 8.0.2 https://dev.mysql.com/doc/refman/8.0/en/keywords.html |
# |
Apr 23rd 2021, 11:58 |
kevin.pfeifer |
ah, i see |
# |
Apr 23rd 2021, 11:38 |
ndm |
The other way around, no check on POST as the controller action will not actually run because of PRG of the search component. |
# |
Apr 23rd 2021, 11:37 |
kevin.pfeifer |
as i understand the problem (to summerize) You have a index function which should have a authorization check on GET but should have a authorization check on POST, right? |
# |
Apr 23rd 2021, 11:35 |
paolo.bragagni |
or pherhaps I dont understand.. :) |
# |
Apr 23rd 2021, 11:34 |
paolo.bragagni |
the best for me seems to skipAuthorization when I'll go in production |
# |
Apr 23rd 2021, 11:33 |
paolo.bragagni |
at least It seems to me :S |
# |
Apr 23rd 2021, 11:32 |
paolo.bragagni |
@ndm yes I've understand your explaination |
# |
Apr 23rd 2021, 11:32 |
steinkel |
search is posting to another action then... check @ndm answer |
# |
Apr 23rd 2021, 11:32 |
ndm |
@paolo.bragagni But you did understand my explanation, didn't you? |
# |
Apr 23rd 2021, 11:31 |
paolo.bragagni |
when search is fired I have the 'error' and it doesnt go in index() |
# |
Apr 23rd 2021, 11:30 |
steinkel |
then call `->authorize` in the index action |
# |
Apr 23rd 2021, 11:30 |
paolo.bragagni |
(authorization) |
# |
Apr 23rd 2021, 11:30 |
paolo.bragagni |
I dont want to skip auth when I search in index |
# |
Apr 23rd 2021, 11:30 |
paolo.bragagni |
I need use authorization but Id like that search in index require authorization |
# |
Apr 23rd 2021, 11:29 |
steinkel |
the exception is there to remind you need to do this or this action could be accessed for any authenticated user |
# |
Apr 23rd 2021, 11:28 |
steinkel |
@paolo.bragagni if you use Authorization, you need to call at least once to either `->authorize OR ->skipAuthorization` |
# |
Apr 23rd 2021, 11:27 |
steinkel |
sounds right to me |
# |
Apr 23rd 2021, 11:27 |
kevin.pfeifer |
or am I wrong? ,:) |
# |
Apr 23rd 2021, 11:23 |
kevin.pfeifer |
so `skipAuthorization` just tells the plugin that there is no authorization needed for this function |
# |
Apr 23rd 2021, 11:20 |
kevin.pfeifer |
authentication => who are you? authorization => i know who you are, but are you allowed to do X? |
# |
Apr 23rd 2021, 11:19 |
kevin.pfeifer |
its just that sometimes people mix up authentication and authorization |
# |
Apr 23rd 2021, 11:19 |
kevin.pfeifer |
as I understand it `skipAuthorization` just doesn't require the `->authorizte($entity)` function to be called in that function Authentication (which is not the same as authorization) is still required |
# |
Apr 23rd 2021, 11:16 |
paolo.bragagni |
not really the better idea of the world to call it '"skipping authorization" :) |
# |
Apr 23rd 2021, 11:16 |
paolo.bragagni |
hahaha yes |
# |
Apr 23rd 2021, 11:16 |
paolo.bragagni |
So probably is better to inssert "skipping authorization" |
# |
Apr 23rd 2021, 11:16 |
ndm |
The naming is really not great. |