Cakephp 4.4.15 User Permissions from database table dynamic way

Hi! please help me, I am creating Admin panel where admin can set the permissions for their user.Super Admin have all rights and he can create new role like Kitchen Manager and Kitchen Manager can edit and add view price sale and Add new Kitchen Items… on other hand there is a Waiter who have just add and view Permission. This all happen by the Super Admin who can assign role and permissions even he can create new Admin with different Email Password. Please help me how can I implement this system in my coding with cakephp 4.4.15. I am already done login and registration with Authentication and Authorization… plugin. I am also define role with the CakephpDC auth plugin but that are all static roles and there is no permission… only validate some action but i want to keep it all dynamic from database side, where Admin can create new Role and Permissions

I have done something similar without plugins. Here is what I did (which I think it has been discussed before, as this is a common feature)

  1. Create a database table called UserAccess, linked to Users. This will control which user has access to view, create, edit (in my example here, there is no delete feature as it is only kept for Admin) for each Kitchen-price, Kitchen-items, etc. Data is stored as (single digit) integer. I use unix access (e.g. 7 for full access).

  2. Link it in the Model codes

// In Model/Table/UsersTable.php
$this->hasOne('UserAccess', [
    'className' => 'UserAccesses',
    'propertyName' => 'UserAccess',
    'foreignKey' => 'user_id',

// In Model/Table/UserAccessesTable.php
$this->belongsTo('Users', [
    'foreignKey' => 'user_id',
  1. Create a simple form with check-boxes to select view/create/edit access.
  2. Create a virtual field, so one can easily check it in the Entity. Example : $userEntity->UserAccess->access_recipients_can_view which will return true/false.
// In Model/Entity/UserAccess.php
protected $_virtual = [
        'access_recipients_can_view', 'access_recipients_can_create', 'access_recipients_can_edit',

// Do your own logic here
protected function _getAccessRecipientsCanView() :bool
  // todo
protected function _getAccessRecipientsCanCreate() :bool
  // todo
protected function _getAccessRecipientsCanEdit() :bool
  // todo
  1. Update the Policy. This is important, as it controls users can view it.
// Example, in Policy/RecipientPolicy.php

// Admin will always have full access, thus return true all the time
public function before($user, $resource, $action) {
  // todo
  if( $isAdmin) return true;

  // return null, so cake will continue processing it by calling the functions below.
  return null;

public function canView(IdentityInterface $user, Recipient $recipient)
     * @var \App\Model\Entity\UserAccess $userAccessEntity
      $userAccessEntity = $user->UserAccess;
      return $userAccessEntity->access_recipients_can_view;


Hi @yousuo thanks buddy you share your valuable code with us and @lish who post this query and even I am also asking this question and posted on my account, did’t get any response yet but now I find this post. @yousuo I am using RBAC CAKEPHPDC AUTH plugin but this is static role based permissions let me show you :-

I created this but it’s not dynamic role and permission. As above mention @lish admin can add new role and assing permission for different role so it’s not going with this code only static roles work fine. I hope your code work fine and fulfill my requirements once again thanks @yousuo I will tell you latter your advice work or not​:laughing::laughing::laughing:

@yousuo what Policy make for? I mean all permissions in userAcess table and we set fields into userAccess Entity function _getAccessRecipientsCanView() : bool but your policy name is RecipientPolicy.php so how does it validate user request? can you provide me detailed code. After login How can we validate User to view or edit something? this RecipientPolicy only work with RecipientController so please tell me what policy i generate UserAccess Policy or Users Policy

I think you miss out the Policy and Authorization docs. I suggest you read through it, then you will find it very easy to implement what you want. Just keep in mind that Policy controls the access the user has, and you really need it.

Keep in mind that the Policy is used by Cake to control who has access to the page (action).

Example : When a user tries to enter, the function RecipientPolicy.php -> canViewSingleRecipient() will be called to check whether it returns true or false (true meaning user has access). If false, it should throw an error message/page.

The _getAccessRecipientsCanView() is only a virtual field to make things easy (for me). You do not need to have this virtual field.

can you please share this code on github @yousuo actually i am totally frustrating through read the cakephp documentation, even many times I reads about policies but i cannot get fulfill understanding. policies with Entity… table etc…
I just simply need user permission rest of part is in my application so please provide me girhub where you put this code its really great help if you provide me

@yousuo i am still here and not getting anything. I try many time to change but i cannot be success in this task. i installed ACL plugin and follow the instructions even i read many articles but not good result found… i set the group and group_id into user table and after run CLI commands and open post/view/1 and post/view/1 page open where i set the user only index not view permission but user can easily access this url. please help me What I do Now.

Please try out the suggestions I have first. I do not use the ACL plugin and don’t know much about it, because these items are easier custom-made to fit each individual project.

yes try it @yousuo but i cannot get understand how do you implement this in policy. I done same thing as your code but it does not work… cakephp throw Error Policy not define for UsersTable.

I have done it @yousuo. I just check on Action level not controller Level but I am trying to Request both controller and action validate permissions
Screenshot from 2023-07-28 22-07-58


You need to setup the Policy and Authorization first, before you can implement my example.

That error message about no Policy found in UsersTable is because no setup was done. If you follow the setup docs, the file Policy/UserPolicy.php would have been created.

great!! can you please explain how does it work I need it bro @shaan007