Skip authorization for unauthenticated pages


I’m implementing role-based authorization, as outlined on this page Request Authorization Middleware - 2.x

There are various pages that do not require authentication - login, logout, home page, etc. I’d like to configure the authorization middleware so that any page that does not require authentication is automatically authorized. Something like this:

class RequestPolicy implements RequestPolicyInterface
    public function canAccess($identity, ServerRequest $request)
        // Any page that does not require authn automatically does not require authz
        if ( XXX ) {
            return true;

        // ... other role-based checking goes here ...

        return false;

Basically XXX returns true if the $request does not require authentication. I’m trying to figure out the best way to implement XXX.

One thought I had was to call the Authorization service to see if $request requires authorization. But (a) I haven’t found a way to access the authorization service outside the Controller classes, and (b) I don’t see a method there that does what I want.

Another thought was to create a service that tracks pages that do not require authorization, and to call that service from within RequestPolicy.

Any suggestions would be appreciated.

Jim Hyslop

Please don’t mix up authentication and authorization.

Authentication => I know who you are
Authorization => Now I know who you are: are you allowed to do X

The middleware you are mentioning is an Authorization Middleware, therefore it can be used to allow or deny certain requests for (already identified) users.

If you want to allow certain pages to be access without being identified (no login) then check the $this->Authentication->addUnauthenticatedActions(['login']); part here: Blog Tutorial - Authentication - 4.x

And since you are also using the Authorization Plugin you will also need the $this->Authorization->skipAuthorization(); method mentioned here: CMS Tutorial - Authorization - 4.x

Thanks, I am aware of the difference between authorization and authentication, and I’ve read through both of the articles you linked to.

The reason I’m doing this, is that remembering to call two functions (one for authorization and one for authentication) is brittle and error-prone. It makes no sense to require authorization if a page does not require authentication. In other words, skipAuthentication and addUnauthenticatedActions both imply skipAuthorization. I want to write code that expresses that implication.

If I can determine that a page does not require authentication, I can short circuit the rest of the function and return true.


On a tangential topic, rather than re-invent the wheel, is anyone aware of a decent role-based authorization framework I can use to implement the policy? Or suggestions on how to implement it? I have a few ideas, but my expertise is in C++ and Java, so my approaches may not be best suited for PHP.


I can understand what you mean and I don’t have a solution for that right now.

About the role-based authorization framework: cakedc/users is basically a plugin which is based upon cakephp/authentication + cakephp/authorization which has a RBAC already implemented and a whole lot more tools like View-Helpers

Maybe you can either copy code from there or use it as a base.