Log message #4263455

# At Username Text
# May 18th 2021, 09:37 ndm @rightscoreanalysis That's not possible no, only directly association models can be automatically decorated with a foreign key.
# May 18th 2021, 09:32 rightscoreanalysis my question about saving back through a relationship better explained here, I am sure those most knowledgeable will know if what I am attempting is possible or not: https://stackoverflow.com/questions/67582761/cakephp-saving-fk-back-through-data-in-a-multiple-relation-structure
# May 18th 2021, 09:21 neon1024 Thanks for the tips everyone :bow:
# May 18th 2021, 09:21 slackebot I bet that will fill in my mental gaps :)
# May 18th 2021, 09:21 neon1024 Oh right that does make sense. The main thing was that we have a custom RoleAuthorize class, which I wanted to keep. So I can refactor to Policies in another PR. The request middleware looked a good spot to just call an instance of that class and return it’s `authenticate()`. Which does seem to work, but now I know I need to massage it a bit :thumbsup: Although I’m going to read through the bits that @steinkel linked, as
# May 18th 2021, 09:15 slackebot generally you can as well manually check the request (if you actually _want_ to use a request policy) on controller level and take actions into account that do not require authentication. ```$action = $this->request->getParam('action'); if (in_array($action, $this->Authentication->getUnauthenticatedActions(), true)) { $this->Authorization->skipAuthorization(); } else { $this->Authorization->authorize($this->request, 'access'); }```
# May 18th 2021, 09:15 ndm @neon1024 That's just how the request authorization middleware works, it unconditionally applies to every request, acting as a simple, early entry point for stuff like RBAC, ACL, etc., and if you don't want to duplicate config, then you should store it in a central point instead where both your policies as well as your controllers can look it up. Also, you don't necessarily _have_ to use the middleware to authorize requests,
# May 18th 2021, 09:01 erwane So yes, we have to define it twice :)
# May 18th 2021, 09:00 erwane In my AuthController (page with no authorization and not yet authenticated), i have to write ``` public function initialize() { parent::initialize(); $this->Authentication->allowUnauthenticated([ 'login', 'logout', 'passwordAsk', 'passwordRenew', ]); $this->skipAuthorization();```
# May 18th 2021, 09:00 neon1024 I’ll get my reading done this morning :thumbsup:
# May 18th 2021, 08:59 neon1024 I'
# May 18th 2021, 08:59 neon1024 ..adn good old method called `can()` :)
# May 18th 2021, 08:59 neon1024 Services, but not from a DI container! :p\
# May 18th 2021, 08:58 neon1024 Maps, Resolvers, Policies, Identities, Services
# May 18th 2021, 08:58 neon1024 But hey, this is my first attempt at these plugins, so I have lots to learn :)
# May 18th 2021, 08:57 erwane Why Authorization check if no Authentication ?
# May 18th 2021, 08:57 erwane You're right.
# May 18th 2021, 08:57 neon1024 ..and, do correct me here, but Authentication provides the indentity
# May 18th 2021, 08:56 neon1024 Yes, I’m just confused why Authorization would be called when there is no identity
# May 18th 2021, 08:56 erwane I'm sure we have to do it twice. Authentication and Authorization are separated. You can request Authentication to access a page but don't check Authorization.
# May 18th 2021, 08:55 steinkel If https://book.cakephp.org/4/en/tutorials-and-examples/cms/authorization.html is not clear, let me know
# May 18th 2021, 08:54 neon1024 Awesome, thanks @steinkel :thumbsup: Figured there might be something
# May 18th 2021, 08:54 steinkel https://www.cakedc.com/jorge_gonzalez/2020/05/19/working-with-cakephp-authorization could help too
# May 18th 2021, 08:53 steinkel @neon1024 you have, in addition to the book, https://cakefest.org/archive/virtual-2020 (see Workshop 1 for authentication, 3 for Authorization)
# May 18th 2021, 08:53 neon1024 Which seems like utter madness to me that I have to do the same configuration twice, but there you are. I’ve probably missed something
# May 18th 2021, 08:52 slackebot <neon1024>
# May 18th 2021, 08:52 neon1024 For the unlocked actions, I just tied it into the Authentication config
# May 18th 2021, 08:52 erwane I'm using policy on Entity, and don't need this RequestAuthorization. Looking for the doc
# May 18th 2021, 08:50 neon1024 Which looks remarkable like ACL wearing a trench coat
# May 18th 2021, 08:50 neon1024 Just sidesteps all that Policy nonsense
# May 18th 2021, 08:50 erwane never used RequestAuthorization :(
# May 18th 2021, 08:49 erwane ``` // Authentication $middlewareQueue->add(new AuthenticationMiddleware($this)); // Authorization $middlewareQueue->add(new AuthorizationMiddleware($this)); return $middlewareQueue;```
# May 18th 2021, 08:49 neon1024 I wonder if Authorization and RequestAuthorization are mutually exclusive
# May 18th 2021, 08:49 neon1024 ->add(new AuthenticationMiddleware($this)) ->add(new AuthorizationMiddleware($this)) ->add(new RequestAuthorizationMiddleware());
# May 18th 2021, 08:49 neon1024 I believe so
# May 18th 2021, 08:47 erwane I prefer to add `skipAuthorization` in all methods, to be sure it's protected and prevent a security hole.
# May 18th 2021, 08:45 erwane maybe you can add an Authentication test, if not authenticated, skip Authorization.
# May 18th 2021, 08:44 erwane ``` /** * Bands index * * @return \Cake\Http\Response|void * @throws \Exception */ public function index() { $this->Authorization->skipAuthorization();```
# May 18th 2021, 08:44 erwane But, Authentication and Authorization are not the same. On my public page, i have to add `$this->Authorization->skipAuthorization();` in methods with no check
# May 18th 2021, 08:43 erwane You add the AuthorizationMiddleware AFTER Authentication ?
# May 18th 2021, 08:37 neon1024 Is there a Cakefest talk on how these plugins work, as there are lots of new concepts here and they are not intuitive at all to my brain