CakePHP: the rapid development php framework: CakeBot

Log message #4263460

#	At	Username	Text
#	May 18th 2021, 11:19	neon1024	Ah, it is still there. What an odd bug
#	May 18th 2021, 11:14	neon1024	Is the `Model.initialize` event not a thing any more? I can only see DebugKit calling it in my listener
#	May 18th 2021, 09:57	ndm	Not necessarily, you can also do a find after using `saveAssociated()`, and then use the query model id for one last separate save that updates the order.
#	May 18th 2021, 09:50	rightscoreanalysis	thanks @ndm - so the way to go would be to use seperate saves and then use $this->Model->Id to seed the foreign keys manually?
#	May 18th 2021, 09:39	ndm	But even if it were generally possible, it would not be practical with a "to many" association, as the saving logic wouldn't which of the possibly many addresses should be associated with the order.
#	May 18th 2021, 09:37	ndm	@rightscoreanalysis That's not possible no, only directly association models can be automatically decorated with a foreign key.
#	May 18th 2021, 09:32	rightscoreanalysis	my question about saving back through a relationship better explained here, I am sure those most knowledgeable will know if what I am attempting is possible or not: https://stackoverflow.com/questions/67582761/cakephp-saving-fk-back-through-data-in-a-multiple-relation-structure
#	May 18th 2021, 09:21	neon1024	Thanks for the tips everyone :bow:
#	May 18th 2021, 09:21	slackebot	I bet that will fill in my mental gaps :)
#	May 18th 2021, 09:21	neon1024	Oh right that does make sense. The main thing was that we have a custom RoleAuthorize class, which I wanted to keep. So I can refactor to Policies in another PR. The request middleware looked a good spot to just call an instance of that class and return it’s `authenticate()`. Which does seem to work, but now I know I need to massage it a bit :thumbsup: Although I’m going to read through the bits that @steinkel linked, as
#	May 18th 2021, 09:15	slackebot	generally you can as well manually check the request (if you actually _want_ to use a request policy) on controller level and take actions into account that do not require authentication. ```$action = $this->request->getParam('action'); if (in_array($action, $this->Authentication->getUnauthenticatedActions(), true)) { $this->Authorization->skipAuthorization(); } else { $this->Authorization->authorize($this->request, 'access'); }```
#	May 18th 2021, 09:15	ndm	@neon1024 That's just how the request authorization middleware works, it unconditionally applies to every request, acting as a simple, early entry point for stuff like RBAC, ACL, etc., and if you don't want to duplicate config, then you should store it in a central point instead where both your policies as well as your controllers can look it up. Also, you don't necessarily _have_ to use the middleware to authorize requests,
#	May 18th 2021, 09:01	erwane	So yes, we have to define it twice :)
#	May 18th 2021, 09:00	erwane	In my AuthController (page with no authorization and not yet authenticated), i have to write ``` public function initialize() { parent::initialize(); $this->Authentication->allowUnauthenticated([ 'login', 'logout', 'passwordAsk', 'passwordRenew', ]); $this->skipAuthorization();```
#	May 18th 2021, 09:00	neon1024	I’ll get my reading done this morning :thumbsup:
#	May 18th 2021, 08:59	neon1024	I'
#	May 18th 2021, 08:59	neon1024	..adn good old method called `can()` :)
#	May 18th 2021, 08:59	neon1024	Services, but not from a DI container! :p\
#	May 18th 2021, 08:58	neon1024	Maps, Resolvers, Policies, Identities, Services
#	May 18th 2021, 08:58	neon1024	But hey, this is my first attempt at these plugins, so I have lots to learn :)
#	May 18th 2021, 08:57	erwane	Why Authorization check if no Authentication ?
#	May 18th 2021, 08:57	erwane	You're right.
#	May 18th 2021, 08:57	neon1024	..and, do correct me here, but Authentication provides the indentity
#	May 18th 2021, 08:56	neon1024	Yes, I’m just confused why Authorization would be called when there is no identity
#	May 18th 2021, 08:56	erwane	I'm sure we have to do it twice. Authentication and Authorization are separated. You can request Authentication to access a page but don't check Authorization.
#	May 18th 2021, 08:55	steinkel	If https://book.cakephp.org/4/en/tutorials-and-examples/cms/authorization.html is not clear, let me know
#	May 18th 2021, 08:54	neon1024	Awesome, thanks @steinkel :thumbsup: Figured there might be something
#	May 18th 2021, 08:54	steinkel	https://www.cakedc.com/jorge_gonzalez/2020/05/19/working-with-cakephp-authorization could help too
#	May 18th 2021, 08:53	steinkel	@neon1024 you have, in addition to the book, https://cakefest.org/archive/virtual-2020 (see Workshop 1 for authentication, 3 for Authorization)
#	May 18th 2021, 08:53	neon1024	Which seems like utter madness to me that I have to do the same configuration twice, but there you are. I’ve probably missed something
#	May 18th 2021, 08:52	slackebot	<neon1024>
#	May 18th 2021, 08:52	neon1024	For the unlocked actions, I just tied it into the Authentication config
#	May 18th 2021, 08:52	erwane	I'm using policy on Entity, and don't need this RequestAuthorization. Looking for the doc
#	May 18th 2021, 08:50	neon1024	Which looks remarkable like ACL wearing a trench coat
#	May 18th 2021, 08:50	neon1024	Just sidesteps all that Policy nonsense
#	May 18th 2021, 08:50	erwane	never used RequestAuthorization :(
#	May 18th 2021, 08:49	erwane	``` // Authentication $middlewareQueue->add(new AuthenticationMiddleware($this)); // Authorization $middlewareQueue->add(new AuthorizationMiddleware($this)); return $middlewareQueue;```
#	May 18th 2021, 08:49	neon1024	I wonder if Authorization and RequestAuthorization are mutually exclusive
#	May 18th 2021, 08:49	neon1024	->add(new AuthenticationMiddleware($this)) ->add(new AuthorizationMiddleware($this)) ->add(new RequestAuthorizationMiddleware());
#	May 18th 2021, 08:49	neon1024	I believe so
#	May 18th 2021, 08:47	erwane	I prefer to add `skipAuthorization` in all methods, to be sure it's protected and prevent a security hole.