I have created a CakePHP app where I have created a UsersController, which handles all about users.
When I try to browse www.mydomain.com, if I am logged in, it let's me see the index (app/View/Pages/home.ctp). Else, it redirects me to mydomain.com/users/login and persists to log in.
I have tried looking at AppController.php, PagesController.php or app/Config/core.php and app/Config/routes.php, but did not find anything. My UsersController.php, also, is not responsible for that, I think.
I do not remember and I cannot find how to disable this. Which file should be responsible for that?
EDIT:my CakePHP version is 2.3.
Generally you can make specific actions public using the auth components allow() method.
Making pages public may require a little more work in case you'd want to make only specific pages public, since the PagesController handles all pages in a single action (display()). If that is the case, then you could utilize request->params['pass'][0] which will hold the page name, test this against a list of allowed pages, and then allow the display action using Auth::allow.
Example, in the PagesController:
public function beforeFilter()
{
parent::beforeFilter();
$allowedPages = array('home', 'foo', 'bar');
if(isset($this->request->params['pass'][0]) &&
in_array($this->request->params['pass'][0], $allowedPages))
{
$this->Auth->allow('display');
}
}
This would allow the pages home, foo and bar to be viewed without being logged in.
If you'd wanted to make all pages public, then you could simply use Auth::allow without any conditions, ie:
public function beforeFilter()
{
parent::beforeFilter();
$this->Auth->allow('display');
}
Related
I'm running Kohana 3, and having a hard time understanding the Auth module, or even if it's what I need. Basically I want to create a basic user profile site with basic username/password protection.
How do I take my existing controllers...
class Controller_Profile extends Controller
{
function action_index( $user_id )
{
// User should already be authenticated by here I think
}
}
...and use them with some sort of authentication system
For Kohana 3 you'll want to do your check in before and not __construct like JIStone suggests.
public function before()
{
parent::before();
// This automatically checks for an auto login cookie (thanks kemo).
if ( ! Auth::instance()->logged_in())
{
// Redirect to a login page (or somewhere else).
$this->request->redirect('');
}
}
Simple enough to understand. You can put this into a controller and have all the controllers that need authentication to extend that.
If you will be requiring a user to be registered for all pages on the controller you can put a check in your __construct() statement:
function __construct()
{
//Check roles for Access!!!!
parent::__construct();
$this->load_user();
if( ! $this->is_registered )
{
if(request::is_ajax())
die('This ajax call cannot be completed due to permission issues.');
// this will redirect from the login page back to this page
$this->session->set('requested_url', url::current());
url::redirect('user/login');
}
}
This is the code we use, but it is Kohana 2, not 3, so you will need to adjust a bit for your purposes.
I have provided a link to a short walkthrough for the installation and basic usage of the Auth Module in Kohana 3
Once you have your Auth process working, you can protect certain controllers by checking for a logged in user and proper authentication role in your before() method, or create a base controller for all your controllers that will need this check. If the user is not logged in, redirect them to the login page, if they do not have the proper access level (or role), then you can show them an "Access Denied" page.
I have a site using CodeIgniter that is almost complete now. My problem is that, even though I have implemented sessions and maintain a login system, a person can access any page by typing the URL into the browser address bar.
I have implemented the session for patient registration like this:
function index(){
$this->is_logged_in();
}
function log_out(){
$this->session->sess_destroy();
redirect('login_controller');
}
function is_logged_in(){
$is_logged_in = $this->session->userdata('is_logged_in');
if(!isset($is_logged_in)||$is_logged_in!= TRUE ){
redirect('login_controller');
}else{
$this->main();
}
}
Anonymous users can't acess the system just by typing the controller name like this:
http://localhost/demo_site/index.php/register_controller
But they can do it like this:
http://localhost/demo_site/index.php/register_controller/search_patient
Person can't access by typing the controller name, but can enter the system by typing a longer url than the controller, like the one shown above.
What is the problem here? What are the possible solutions??
You will have to implement a login check in the controller's constructor.
Whenever the controller is called, it should check if the user is logged in - if they are not, redirect to a login page or an error page.
To confirm if it is entering the login check put an echo and exit inside the is_logged_in() function and check if it appears in case of http://localhost/demo_site/index.php/register_controller/search_patient
You are probably doing login check in your respective modules and thus you missed for some cases.
It is better to define a set of private modules (say in an array) and do the login check in the frontcontroller itself (in one place) instead of repeatedly in module level.
Sounds like a routing problem. You need to set up your routes to make the second case illegal or at least map to the same controller as the first case. More on routing here.
I agree with tHeSiD. This code should go in the constructor. Ideally in a base class which you use to extend all admin related or restricted classes with. Normally I use an Admin_Controller base class that extends CI_Controller (2.0) or Controller (1.7.x) and then create my application controllers by extending the Admin Controller.
I am building an application using cakePHP. Do we have a method where we can allow public users access to certain pages without logging in. There would be a few pages such as about us regarding the whole organisation or a contact us page. Is there a method to avoid login access, something similar to how we have ways to add components or set layouts.
As Martin Bean says, you can use ACL. For a sophisticated site, that would be my choice. You do not have to be logged in to access the public pages. http://multiheadweighers.co.uk is an example of a site that uses ACL. There is a fully featured CMS behind the public pages.
For a simple site I would allow access to, for instance, the view action using
function beforeFilter() {
parent::beforeFilter;
$this->Auth->allow('view');
}
see: http://book.cakephp.org/view/1257/allow
It really isn't a big deal - try it and you'll see how easy it is.
EDIT:
From the book # http://book.cakephp.org/view/1550/Setting-up-permissions
Now we want to take out the references
to Auth->allowedActions in your users
and groups controllers. Then add the
following to your posts and widgets
controllers:
function beforeFilter()
{
parent::beforeFilter();
$this->Auth->allowedActions = array('index', 'view');
}
This removes the 'off switches' we put in earlier on the users and groups controllers, and gives public access on the index and view actions in posts and widgets controllers. In AppController::beforeFilter() add the following:
$this->Auth->allowedActions = array('display');
This makes the 'display' action public. This will keep our PagesController::display() public. This is important as often the default routing has this action as the home page for you application.
EDIT 2:
$user = ($this->Auth->user())?$this->Auth->user():'Anonymous';
if(!$this->Acl->check($user,"{$url}"))
$this->redirect($this->referer()); // or whatever action you want to take.
The solution would be to use the allow method in the Auth component to let the user visit those pages.
Thank you!
In CakePHP we can use $this->Auth->allow('someMethod'); to make a page viewable without having to login. How do I make some the same page is not viewable when a user is logged in? An example of this would be a register page which we want to be accessible without user logged in ... but not accessible once a user logged in.
I put $this->Auth->deny('someMethod') in isAuthorized() but it seems to me that if the method is in the allow list then isAuthorized is not called when we try to run that page.
Any input? Thank you
There are no complex rules like that built into Cake Auth. You'll have to manually check for conditions like this. It's very simple though:
// Controller
function register() {
if ($this->Auth->user()) {
$this->redirect(/* somewhere else */);
}
}
Contrary to mlevits answer, you don't need to store anything in the Session, the info is readily available from the AuthComponent itself. http://book.cakephp.org/view/387/user
There's also an example how to do it by dynamically using deny(), but that's not as clear in a simple case like this IMHO. http://book.cakephp.org/view/383/deny
Also, deny() produces an error message ("You're not authorized to access this location"), which is probably not what you want for the user experience in this case.
EDIT:
Wasn't aware that CakePHP used a different syntax.
You can then use the following to set the Session variable:
$this->Session->write('user_id', '<some_user_name>');
Then use this to redirect the user if they are logged in:
if ($this->Session->check('user_id'))
{
$this->redirect('http://google.com');
}
And then to destroy a Session use:
$this->Session->destroy()
More information about CakePHP Sessions
Thanks
You can check it in method beforeFilter in AppController to allow aplication-wide check. For example:
<?php
class AppContoller extends Controller {
var $components = array('Session', 'Auth');
function beforeFilter(){
$this->Auth->allow('register', 'home');
// Check if current action allowed to access without authorization and User has login
if(array_key_exists($this->params['action'], $this->Auth->allowedActions) && $this->Auth->user()){
$this->redirect(/* somewhere else */);
}
}
}
?>
Of course you can also implements it in some controller instead of AppController.
I am playing about with the Zend Framework at the moment and I have a written the authentication code using Zend_Auth. I am trying to find a way to ensure that the user is logged in before they can view anything but I don't want to do it on a per controller basis.
I am thinking a plugin, but all the books I have on it are pretty rubbish in this respect.
Zend_Auth::getInstance()->hasIdentity()
You can use this to determine if the user is logged in, and then use the redirector to redirect to the login page if not.
However, the easier way is to use a Redirector Zend Controller Action Helper.
A plugin is a good idea.
I answered to a similar question here:
How do i centralize code from my init functions in all controllers ?
Also check the documentation page Zend Controller Plugins
Look into Zend___Acl which can be used to define whether a user has access to certain resources. A resource can be pretty much anything, but in this context you can use the ACL to define your controllers and actions as resources. Each logged in user is then assigned a number of roles (we store them in a database). In a plugin you check the request for the Controller and Action, after routing is complete. Gather the roles of the user through the Zend_Auth and check them against the ACL. If the ACL says the user has permission to access the resource, do nothing, else you can forward/redirect to your error controller and print the error.
// Pseudo-code. You need to define the ACL and roles somehow.
class AclPlugin extends Zend_Controller_Plugin {
public function routeShutdown(Zend_Controller_Request_Abstract $request)
{
$controller = $request->getControllerName();
$action = $request->getActionName();
$roles = Zend_Auth::getInstance()->getRoles();
$acl = new MyAcl();
if($acl->hasAccess($roles, $controller, $action)) { return; }
// None of the user's roles gave her access to the requested
// controller/action, so re-write the request to the error controller
$request->setControllerName('error')
->setActionName('authorizationFailed')
->setParam('resource', array('controller' => $controller
'action' => $action));
}
}
class MyAcl extends Zend_Acl {
public function hasAccess($roles, $controller, $action) {
foreach($roles as $role) {
if($acl->isAllowed($role, $controller, $action)) {
return true; // Simplified. Here we say if one of the user roles can
// access a resource, that is good enough.
// Might want to do something a bit more complicated.
}
}
return false;
}
}
How about setting up a global controller that extends Zend_Controller_Action and then have your controllers extend from the global controller. Then your global controller puts the Zend_Auth::getInstance()->hasIdentity() in the init() or preDispatch?
I was pondering the same subject lately (ZF newbie), and thought about doing the authentication checks in the bootstrap (maybe with a list of "bypassed" controllers/actions).