Cakedc/auth: owner permission not working


Everything is working fine, I can change the permissions. Only the owner rule is not working.

The permissions :

return [
    'Users.SimpleRbac.permissions' => [
        //admin role allowed to all the things
            'role' => 'admin',
            'prefix' => '*',
            'extension' => '*',
            'plugin' => '*',
            'controller' => '*',
            'action' => '*',
        //specific actions allowed for the all roles in Users plugin
            'role' => '*',
            'plugin' => 'CakeDC/Users',
            'controller' => 'Users',
            'action' => ['profile', 'logout', 'linkSocial', 'callbackLinkSocial'],
        //all roles allowed to Pages/display
            'role' => '*',
            //'plugin' => null,
            'controller' => 'Pages',
            'action' => 'display',
        'role' => 'user',
        'controller' => 'Users',
        'action' => ['view'],
        'role' => 'user',
        'controller' => 'Articles',
        'action' => ['index','add'],
        'role' => 'user',
        'controller' => 'Articles',
        'action' => ['edit', 'delete'],
        'allowed' => new \CakeDC\Auth\Rbac\Rules\Owner([
            'ownerForeignKey' => 'user_id',
                            ]) //will pick by default the post id from the first pass param


Is there something I do wrong?

This is a guess, but maybe the table name? eg …

 'allowed' => new Owner([
        'table' => 'UsersLocations',
        'id' => 'location_id',
                'ownerForeignKey' => 'user_id'

@hakim: thank you for the respons.
Unfortunately nothing is working. If I don’t get a solution or find a good tutorial I have to look for another plugin.

I came across similar issues. I removed the plugin and started from the beginning again, following the documentation and it worked (during development I must have messed up the config somewhere).

Ok, I know you might have checked this already, but does Articles have a relation (belongsTo) with Users, does it have a user_id column in the Articles table?

@jmebis please post your associations for the ArticlesTable, also your database schema. Check the query generated (in debugKit) to check the Owner permissions by the plugin, and also ensure the logged in user has role=user.

The 'ownerForeignKey' => 'user_id', is the default configuration, you can remove it.

As suggested, you are missing the table configuration if the reference table is not Articles, example

'table' => 'SomeOtherTable',

With the default configuration, the Owner rule will check

  • The Articles table has a user_id column
  • The value of user_id matches with the logged in user
  • The article you are checking is passed as a param to the action, for example, /articles/edit/7
    • In this case the rule will get the article id=7 user_id matches the logged in user id

Here’s some more detail about config used for the Owner rule:

The article you are checking is passed as a param to the action, for example, /articles/edit/7

I followed the tutorial on and they are using slug.
So the edit url is like this: /articles/edit/slug

I’m no trying to avoid using a slug.

Jep, that was the stupid but annoying problem.

Thank you for your time!