I created this script src/Policy/RequestPolicy.php
<?php
namespace App\Policy;
use Authorization\Policy\RequestPolicyInterface;
use Cake\Http\ServerRequest;
use Authorization\Policy\ResultInterface;
class RequestPolicy implements RequestPolicyInterface
{
/**
* Method to check if the request can be accessed
*
* @param \Authentication\IdentityInterface|null $identity Identity
* @param \Cake\Http\ServerRequest $request Server Request
* @return \Authorization\Policy\ResultInterface|bool
*/
public function canAccess($identity, ServerRequest $request): bool|ResultInterface
{
$role = 0;
if(!empty($identity)){
$data = $identity->getOriginalData();
$role = $data['authorization'];
}
if(!empty($request->getParam('prefix'))){
if ($request->getParam('prefix') == 'Pages/Manage') {
return (bool)($role === 1);
} else {
return true;
}
}
return true;
}
}
If the prefix = ‘Pages/Manage’, then only the user with role = 1 has access there, does it work, is this a good solution?