Cake 4 authentication and authorization?


I saw this:

Update Authentication for 4.x
Update Authorization for 4.x

I am focusing on getting the code cleaned up so that when cake 4 is out, I will have very few things to fix. Example ->request->data has been changed to request->getData() and stuff.

I understand 4x will be more of a ‘structured approach’… Is there going to be a different set of authentication and authorization? Like the good’ol aros_acos thing… in other words, is there going be an architectural change?

Have you looked at the new plugins?

1 Like

Authorization is for branch 3.x.

Can you help by throwing some light on this?

I am curious why experienced developers don’t write their own RBAC.

If I had to change an app from laravel to cakephp, or yii2, or vice versa, I could do it in a short amount of time by not being framework specific when it comes to:

  • CSRF
  • RBAC
  • Pagination

Yes there would be tweaks, but not major.

But that’s just me, I usually prefer more the php way rather that framework specific ways.

I can understanding someone new at first using all the built in stuff.

Even assets, I try to make it the same no matter the framework, i.e.,

<link href="<?php echo Resource::asset('css/dogs/style.css'); ?>" rel="stylesheet">

A helper I can use no matter the framework. Of course if cake is all you use, I can see sticking to cake techniques only.

I’m not sure if there is anything Cake specific in the authorization and authentication middleware plugins. My understanding is that the goal is to make them framework-agnostic, but they might not be there yet.

Also, v4 is largely just a house-cleaning on v3, eliminating all the stuff that’s been deprecated over the years. Presumably, the plugins aren’t using any of that, and thus I’d expect them to be at least very close to fully functional right away with v4.

If that’s the case, I will probably give them a look. But my custom rbac I have used for years, even back in my java days works pretty well.

However, I am re-vamping some stuff. I used to use separate login tables. Example, if an admin also has role of bookkeeper, they would have separate logins.

Now I am doing the one table, multi role thing.

Small apps it’s fine, but usually a large hospital as example will have totally separate sections (areas) for Doctors and another for patients.

But I am having a look at the above.

There was Cake way of ACL through ACOs and AROs in 1 and 2.
Laravel 5’s ACL is a cake walk… @can in views with Gate
Authorization can be extended to create RBAC. Never thought about it before…

Maybe I will just see what I can do this weekend! :smiley:

Suggest a name which may attract other contributors for RBAC.

I meant just roll your own in the app. But of course each developer can choose to use a “pre packaged” solution, or just write their own.

The thing is, once you “roll your own” you now have rbac that is going to work in any framework, and java. Just a language change, php to c# for example.

Years ago, these “extras” you had to write yourself.

Take pagination, java, servlets, ejb did not come with “out of box” pagination. But yet I was able to paginate by writing pagination code.

I now have a paginator that works in any language, java,, php, etc.

So just saying, developers roll some of your own stuff, later you will have a flexible tool.

If for no other reason, to learn and get better at these things. But choice is yours.