ControllerAuthorize in Authorization plugin

I’m working on migrating my CakePHP app from using the AuthComponent to the authorization and authentication plugins, but I’m having trouble implementing the behavior I had before.

In my application, I had made a custom class called PermissionAuthorize that extended the core ControllerAuthorize. Many of my controllers had actions like index or view that didn’t need permissions checking, since they’re public to all users. Each controller had code like this:

public function isAuthorized($user)
	switch ($this->request->getParam('action')) {
		case 'index':
		case 'view':
			return true;

In my PermissionAuthorize adapter, the following would happen:

// Check if the controller allows the action
if ((bool) $this->_Controller->isAuthorized($user) === true) {
	return true; // Always allowed

// Check user's permissions for this controller/action...

The app permissions are just a simple combination of controller/action and are assigned to users through roles.

I did this so there wasn’t an extra database query or the need to add permissions for things like index/view on models that didn’t need to be locked down. These aren’t public actions either, they’re for authenticated users only.

I seem to have Authentication working with the new plugin, but I can’t figure out how to do work this in with Authorization. I believe I’m on the right track using the Request Authorization Middleware, and I have a RequestPolicy like so:

public function canAccess($identity, ServerRequest $request)
	// Should be skipped if controller calls skipAuthorization?

	// Check user's permission for the controller/action

My issue now is that I could validate the user’s permissions here, but this policy is not skipped if the controller calls $this->Authorization->skipAuthorization() in the initialize() method.

If anybody has any suggestions, I would greatly appreciate it! Thanks!

I migrated from AuthComponent to the new middleware recently. Authorization beyond logged-in was configured with

$this->Auth->config('authorize', ['Controller']);

and performed in AppController:isAuthorized(array $user) with a custom permission implementation which sounds similar to yours.

After migrating to the middleware I only use Authentication but not Authorization. After I do the authentication in a component’s initialize() I just call the isAuthorized() manually now and throw an error if it fails 1. Everything regarding authorization stays the same and works as before.

Thanks for the suggestion! I’m thinking of doing the something similar. If I have to use the core AuthComponent though, I’d just keep everything the way it is instead of migrating to these new plugins.

Hopefully one of the core devs can weigh in on this scenario. I’d like to upgrade to 4.0 without any issues when it’s stable.