Question about Authorisation

bgrinter · January 30, 2022, 7:36am

Have a question about authorisation - not so much how it works but different practises

Reading the Cookbook and the Tutorial - it describe that you would have policy such as

    public function canEdit(IdentityInterface $user, Article $article)
    {
        // logged in users can edit their own articles.
        return $this->isAuthor($user, $article);
    }

and then in the controller I would have

public function edit($slug)
{
    $article = $this->Articles
        ->findBySlug($slug)
        ->contain('Tags') // load associated Tags
        ->firstOrFail();
    $this->Authorization->authorize($article);
    // Rest of the method.
}

This would use the policy with the current controller name. Alternatively I could use an operation name eg;

$this->Authorization->authorize($article, 'update');

Now all actions in my add are really based on the access level of a user;

Viewer - Can only view records
Editor - Can edit some records
Super Editor - Can edit most records (cape optional )
Admin - Can do anything

Because I have a lot of models and actions, I’m thinking I’d be best of with policies around the the user level, eg

$this->Authorization->authorize($member, 'super_editor');

This might make is simpler - I only need as many policies as I have access levels and should one need to change, it’s changed in the controller and not digging in to the policies.

Is there anything I’m missing / not considering? What have others done for large applications?

KevinPfeifer · January 30, 2022, 9:41am

What you are looking for is a Role Based Access Control (RBAC) which is not pre-configured in the base authentication and authorization plugin. They are more meant for a very fundamantal base to build your own authentication and authorization system (aka you would have to build it yourself).

I would recommend you look into GitHub - CakeDC/users: Users Plugin for CakePHP and use its config/permissions.php to determine which roles can do which actions on which controller.

bgrinter · January 30, 2022, 10:07am

Thanks Kevin

I’d briefly looked at the users plugin but assumed with it’s social media tie-ins, registration and so on that it mightn’t be appropriate for our needs (basically a not-for-profit management system) or overkill, but I see that I can actually turn all that stuff on and off as needed.

I will give it a better look!

Regards,
Brian

KevinPfeifer · January 30, 2022, 11:05am

Indeed you can turn off basically all the social auth functionality and just use the basic login/register logic with pre-configured “Remember me” Cookie and the RBAC.
You will definitely be faster doing that rather than programming all that functionality from the ground up.

Topic		Replies	Views
Authentication and Authorization plugin Need Help	12	360	November 17, 2023
Role based Authorization help Need Help help	4	536	October 12, 2022
Authorization or authentication Plugins	7	809	July 14, 2021
Cake4: Authorisation for namespaces/prefixes and userroles Need Help	4	605	May 7, 2021
Question about authorisation and policies Need Help	1	344	November 28, 2021

Question about Authorisation

Releases

Documentation

Community

Question about Authorisation

Related topics

Releases

Documentation

Community