| # |
Apr 23rd 2021, 16:56 |
 tyler.adam.lazenby |
I have both a users table and an accounts table |
| # |
Apr 23rd 2021, 16:56 |
tyler.adam.lazenby |
OK I am now running into something different |
| # |
Apr 23rd 2021, 16:55 |
slackebot |
the controller methods be adjusted (maybe?) because they authorization is “injected” via a middleware • And then also with the same plugin and the same Request Policy but a more controller adjustable approach where you can call that Request Policy Class again with `$this->Authorization->can($this->request, 'access')` and no “injected” middleware |
| # |
Apr 23rd 2021, 16:55 |
slackebot |
index). These also need to be checked in the used controller method via `->authorize($entity)` for entity related authorization or `$this->Authorization->applyScope($this->Users->find())` for table/query related authorization • Then we have https://github.com/CakeDC/auth which lets you handle everything but with a more generic Request policy (so not 1 Class per entity/table but 1 Class for *everything*) which doesn’t need to have |
| # |
Apr 23rd 2021, 16:55 |
kevin.pfeifer |
Please correct me if I am wrong but now it seems like there are now 3 main ways how you can handle configuration for authorization: • The “default” cakephp/authorization way where you have Policy Classes for each Entity like `UserPolicy::canEdit()` (for all the entity related authorization like add, edit, view and delete) and Tables `UsersTablePolicy::scopeIndex()` (for mostly query related authorization like |
| # |
Apr 23rd 2021, 16:00 |
tyler.adam.lazenby |
Yeah I know. I fully plan on implimenting it in the near future, and I understand the need to not paint myself further into a corner. BUT this is something I need now and for a single action... and it wouldn't exactly be business smart at this point to change that much source code when I have a deadline for a simple change. |
| # |
Apr 23rd 2021, 15:59 |
admad |
> I want to authorize based on actions Ditto |
| # |
Apr 23rd 2021, 15:57 |
admad |
cakedc/auth's RBAC policy allows handling all permission from a single config file. So you would we removing good from 50+ controllers |
| # |
Apr 23rd 2021, 15:56 |
tyler.adam.lazenby |
some with over 15 methods. |
| # |
Apr 23rd 2021, 15:56 |
tyler.adam.lazenby |
right, but we are talking about altering the logic for about 50 controllers at this point |
| # |
Apr 23rd 2021, 15:53 |
ndm |
No, it's for the plugin, which has a component too. The policy would be a table policy, so for example `UsersTablePolicy` (wrong name in my previous comment, sorry). Again, not a fan, I'd rather use a request policy if I want to authorize based on actions :) |
| # |
Apr 23rd 2021, 15:51 |
tyler.adam.lazenby |
not the authorization plugin? |
| # |
Apr 23rd 2021, 15:51 |
tyler.adam.lazenby |
also isn't this for the auth component |
| # |
Apr 23rd 2021, 15:50 |
tyler.adam.lazenby |
I still need to check if the user is an administrator |
| # |
Apr 23rd 2021, 15:50 |
tyler.adam.lazenby |
OK I get that this command says to automatically authorize the use BUTTTTTT where do I configure the policy? |
| # |
Apr 23rd 2021, 15:47 |
ndm |
Ok, it's not the action map, but the model map :) |
| # |
Apr 23rd 2021, 15:47 |
ndm |
https://book.cakephp.org/authorization/2/en/component.html#automatic-authorization-checks |
| # |
Apr 23rd 2021, 15:46 |
ndm |
You wouldn't pass anything with the first method, it would happen automatically once you've configured the components action map. |
| # |
Apr 23rd 2021, 15:45 |
tyler.adam.lazenby |
just running this as my policy ```return $identity->is_admin;``` |
| # |
Apr 23rd 2021, 15:45 |
tyler.adam.lazenby |
especially since the entity has no data that I am actually checking |
| # |
Apr 23rd 2021, 15:44 |
tyler.adam.lazenby |
I would rather not run through each entity |
| # |
Apr 23rd 2021, 15:43 |
tyler.adam.lazenby |
the issue with the first method is that I can't seem to figure out why when I pass a result set that it throws this error `Policy for Cake\ORM\ResultSet has not been defined.` |
| # |
Apr 23rd 2021, 15:33 |
slackebot |
middleware ( https://book.cakephp.org/authorization/2/en/request-authorization-middleware.html ), or by manually checking the request in your controller, like `$this->Authorization->can($this->request, 'access')`. |
| # |
Apr 23rd 2021, 15:33 |
ndm |
The plugin basically does what you could/would do manually. Generally you basically have two options, you can either use the authorization component's action handling (personally I'm not really a fan of it), which would invoke `can%Action%` on the controller's default model, for example `UserPolicy::canIndex()`, or you can use a request policy (that's what cakedc/auth does), either combined with the request authorization |
| # |
Apr 23rd 2021, 15:31 |
tyler.adam.lazenby |
Just was wondering people's opinions. But I guess that your opinion to use that plugin is just as valid. |
| # |
Apr 23rd 2021, 15:30 |
tyler.adam.lazenby |
I am pretty far into the project and I am not familiar enough with the cakedc/auth plugin to want to impliment it into this one. BUT i will be using it from here on out, because I know it will make things easier |
| # |
Apr 23rd 2021, 15:30 |
tyler.adam.lazenby |
I am guessing role based access control? |
| # |
Apr 23rd 2021, 15:29 |
tyler.adam.lazenby |
??? I am not sure what those letters mean |
| # |
Apr 23rd 2021, 15:28 |
admad |
cakedc/auth plugin provided a policy for the authoz plugin for RBAC |
| # |
Apr 23rd 2021, 15:25 |
tyler.adam.lazenby |
The irony that the last discussion was about authroization is not lost on me btw |
| # |
Apr 23rd 2021, 15:23 |
tyler.adam.lazenby |
I usually on other methods have it check a single entity and make sure that the user that is trying to request the action is authorized by using a policy. ```$this->Authorization->authorize($entity, 'actionAlias');``` |
| # |
Apr 23rd 2021, 15:22 |
tyler.adam.lazenby |
What is the best way to use the Authorization plugin to limit if somebody can use the index method? I am trying to limit it to roles that are at the administrative level. |
| # |
Apr 23rd 2021, 13:44 |
ndm |
*cricket noises* |
| # |
Apr 23rd 2021, 13:27 |
mainanthem |
Hello ! |
| # |
Apr 23rd 2021, 12:37 |
admad |
doh |
| # |
Apr 23rd 2021, 12:29 |
greg138 |
GROUPS is also reserved as of 8.0.2 https://dev.mysql.com/doc/refman/8.0/en/keywords.html |
| # |
Apr 23rd 2021, 11:58 |
kevin.pfeifer |
ah, i see |
| # |
Apr 23rd 2021, 11:38 |
ndm |
The other way around, no check on POST as the controller action will not actually run because of PRG of the search component. |
| # |
Apr 23rd 2021, 11:37 |
kevin.pfeifer |
as i understand the problem (to summerize) You have a index function which should have a authorization check on GET but should have a authorization check on POST, right? |
| # |
Apr 23rd 2021, 11:35 |
paolo.bragagni |
or pherhaps I dont understand.. :) |
| # |
Apr 23rd 2021, 11:34 |
paolo.bragagni |
the best for me seems to skipAuthorization when I'll go in production |