Question about Authorisation

Have a question about authorisation - not so much how it works but different practises

Reading the Cookbook and the Tutorial - it describe that you would have policy such as

    public function canEdit(IdentityInterface $user, Article $article)
    {
        // logged in users can edit their own articles.
        return $this->isAuthor($user, $article);
    }

and then in the controller I would have

public function edit($slug)
{
    $article = $this->Articles
        ->findBySlug($slug)
        ->contain('Tags') // load associated Tags
        ->firstOrFail();
    $this->Authorization->authorize($article);
    // Rest of the method.
}

This would use the policy with the current controller name. Alternatively I could use an operation name eg;

$this->Authorization->authorize($article, 'update');

Now all actions in my add are really based on the access level of a user;

  • Viewer - Can only view records
  • Editor - Can edit some records
  • Super Editor - Can edit most records (cape optional :wink: )
  • Admin - Can do anything

Because I have a lot of models and actions, I’m thinking I’d be best of with policies around the the user level, eg

$this->Authorization->authorize($member, 'super_editor');

This might make is simpler - I only need as many policies as I have access levels and should one need to change, it’s changed in the controller and not digging in to the policies.

Is there anything I’m missing / not considering? What have others done for large applications?

What you are looking for is a Role Based Access Control (RBAC) which is not pre-configured in the base authentication and authorization plugin. They are more meant for a very fundamantal base to build your own authentication and authorization system (aka you would have to build it yourself).

I would recommend you look into GitHub - CakeDC/users: Users Plugin for CakePHP and use its config/permissions.php to determine which roles can do which actions on which controller.

1 Like

Thanks Kevin

I’d briefly looked at the users plugin but assumed with it’s social media tie-ins, registration and so on that it mightn’t be appropriate for our needs (basically a not-for-profit management system) or overkill, but I see that I can actually turn all that stuff on and off as needed.

I will give it a better look!

Regards,
Brian

Indeed you can turn off basically all the social auth functionality and just use the basic login/register logic with pre-configured “Remember me” Cookie and the RBAC.
You will definitely be faster doing that rather than programming all that functionality from the ground up.