CMS Tutorial: Authorization help

Followed the Cake 5 CMS Tutorial through. Everything worked fine, until authorization, when I got this error when trying to edit or delete (they work with skipAuthorization):

Identity is not authorized to perform edit on App\Model\Entity\Article.:clipboard:

Authorization\Exception\ForbiddenException

Could this be caused by using Auto-Tables?

Some of the Table objects in your application were created by instantiating “Cake\ORM\Table” instead of any other specific subclass.

you can check your policy code for that, cakephp 5 will automatically add the authorization in your controller you need to bake the policy to modify it

<?php namespace App\Policy; use App\Model\Entity\Article; use Authorization\IdentityInterface; class ArticlePolicy { public function canEdit(IdentityInterface $user, Article $article) { // logged in users can edit their own articles. return $this->isAuthor($user, $article); } } this will be the code that run in you edit function

Thanks. I followed the tutorial and ArticlePolicy.php is already in place. I used bake to create the skeleton file, then filled it in from the tutorial, which includes what you mentioned.

1 Like

Is the identity that you are logged in as the author of the article in question? If not, this is precisely the behaviour you’d expect to see.

Thanks. Yes, that was it. I thought I had created the articles I was trying to edit with the user I’d created, but I guess they were all done before installing authentication and authorization.

But why is it going to the error message and not to login?

Sounds like you are already logged in, just not as the “right” user. So why would it send you to the login page?

You’re right, if I’m logged in, it should alert me, not go to an error.

If you want to add a flash message and redirect to the home page, for example, instead of generating an error page, I believe you’re looking for the unauthorized handler.

Yes. Thanks. What I expected from the CMS tutorial was a complete, if barebones, app. Unless I missed something, triggering a raw error page makes this incomplete. This is important to me because it’s my own (perhaps peculiar) way of learning to use frameworks, by starting with a complete basic app.

Many people would consider it perfectly fine to generate an error page when someone takes an invalid action.

Yes, unauthorized handler. A flash message is now working for unauthorized edits and deletes.

My only point is, the CMS tutorial would have felt more complete with that information included directly in the Authorization section.

Thanks for your patience. I’ve noticed in recent months, maybe the last couple of years, my increasing, perhaps “unreasonable”, impatience with all manner of software instructions and advisories. The layers of detail to navigate seem to have increased past some tipping point for me, while the end results seem to stay about the same. Frustrating. :slight_smile: