I'm trying to create a RESTful api with CakePHP that will add a user when a POST request is sent to /users.json. After the user is created, the client will be redirected to the page with the JSON representation of the user. The code I have for the controller is:
class UsersController extends AppController {
public $components = array('RequestHandler');
public function view($id) {
$user = $this->User->findById($id);
$this->set(array(
'user' => $user['User'],
'_serialize' => 'user'
));
}
public function add() {
if ($this->User->save($this->data)) {
$this->redirect(array('action' => 'view', 1)); //using 1 just to test
} else {
print_r($this->User->validationErrors);
$this->set(array(
'errors' => $this->User->validationErrors,
'_serialize' => array('errors')
));
}
}
}
I have added Router::mapResources('users') and Router::parseExtensions('json') to routes.php. However, when I send a post request using Chrome's REST console plugin, I get a response of "{errors:[]}" and no new user is created. When I use curl, a user is created but I don't get a json representation of the user after. Any idea what's going on?
If you have not already done, then retry after creating app/View/user/json/index.ctp
With following content:
<?php
return json_encode(compact());
?>
Related
I worte a plugin IdentityPlugin to check login status of a user. If the user session gets logout, I want to redirect them to login page. My code is given below.
public function checkLogin($logout=true,$next='login'){
if($this->auth->hasIdentity()){
}elseif ($logout){
return $this->getController()->redirect()->toRoute($next);
}
}
in my controller
// Check identity, if not found- redirect to login
$this->IdentityPlugin()->checkLogin();
Any idea?
You're returning a response to the controller but you're not returning it from the controller itself.
For example you could try this is your controller:
$check = $this->IdentityPlugin()->checkLogin();
if ($check instanceof Response) {
return $check;
}
A more complex solution could be to stop the propagation of the controller's MvcEvent, set whatever response you want, and return directly.
Hi you need to config you plugin in factories in module.config.php and pass service manager to __construct, like below:
'controller_plugins' => array(
'factories' => array(
'CheckLogin' => function($sm){
$checkLogin = new Application\Plugin\CheckLogin($sm);
return $checkLogin;
},
),
),
Then in your plugin you will be able to call all you need using service Manager:
namespace Application\Plugin;
use Zend\Mvc\Controller\Plugin\AbstractPlugin;
class CheckLogin extends AbstractPlugin
{
public function __construct($sm)
{
$auth = $sm->getServiceLocator()->get("Zend\Authentication\AuthenticationService");
if( !$auth->hasIdentity()){
$sm->getController()->plugin('redirect')->toUrl('/login');
}
}
}
I'm currently developing a restful/stateless api in cakephp which uses tokens (at the moment) and should use rolling tokens (like suggested here from g-shearer) in the future. My current implementation works, but i'm really concerned if i've implemented everything the right way (auth components especially custom auth components seem really confusing to me)
PS: I'm using the current version of cakephp (2.5.1).
1: I've created the file TokenAuthenticate.php in Controller/Component/Auth:
<?php
App::uses('BaseAuthenticate', 'Controller/Component/Auth');
class TokenAuthenticate extends BaseAuthenticate {
public function authenticate(CakeRequest $request, CakeResponse $response) {
}
public function getUser(CakeRequest $request) {
//set values from request headers
$publictoken = $request->header('Security-Public-Token');
$accesstoken = $request->header('Security-Access-Token');
$timestamp = $request->header('Security-Timestamp');
// check if required header fields are set
if (empty($publictoken) || empty($accesstoken) || empty($timestamp)) {
return false;
}
// init required token model
$Token = ClassRegistry::init('Token');
//check if token pair exists
if ($dbtoken = $Token->findByPublic($publictoken)) {
if ($accesstoken == md5($dbtoken['Token']['private'] . $timestamp)) {
//valid token - return user
$User = ClassRegistry::init('User');
$dbuser = $User->findById($dbtoken['Token']['user_id'])['User'];
return $dbuser;
} else {
//invalid token
return false;
}
} else {
//invalid token pair
return false;
}
}
public function unauthenticated(CakeRequest $request, CakeResponse $response) {
return true;
}
}
?>
then i've added the following to my controller:
class UsersController extends AppController {
public $uses = array('User', 'Token');
public $components = array('Auth' => array('authenticate' => array('Token')));
public function beforeFilter() {
parent::beforeFilter();
AuthComponent::$sessionKey = false;
$this->Auth->autoRedirect = false;
$this->Auth->allow('login', 'register');
}
in my actions i check the status like so:
if (!$this->Auth->loggedIn()) {
$this->set(array('error' => 'INVALID_AUTHENTIFICATION'));
$this->render('view');
}
So I can set a custom error and output it without being redirected to the login action (note the unauthenticated function in my tokenauthentication file which returns true - so cakephp does not redirect you)
I think the login process should happen in the authenticate function of my TokenAuthenticate file and not in the login action of my controller, or am i wrong? What is the correct way to achieve this goal?
PS: How would it be possible to add a new token pair (to every authenticated output) automatically with cakephp so the tokens are 'rolling'?
The whole api output is json encoded if that matters
also cakephp still sets a cookie sometimes even though i disabled this (AuthComponent::$sessionKey = false;). How to stop this?
EDIT: So I've added an beforeRender() function to my userscontroller and now the tokens are rolling (Y)
//renew tokens
public function beforeRender() {
//only add tokens if logged in
if ($this->Auth->loggedIn()) {
//find old token
$oldToken = $this->Token->findByUser_id($this->Auth->user('id'));
//delete old token
$this->Token->delete($oldToken['Token']['id']);
//create new token pair
$this->Token->create();
$this->Token->save(array(
'user_id' => $this->Auth->user('id'),
'public' => Security::hash(substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!##$') , 0 , 15 )),
'private' => Security::hash(substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!##$') , 0 , 15 ))
));
//set it for the view
$this->set(array('token' => $this->Token->read()));
}
}
Is this the right way to implement something like this? I always want to do things the right and 'perfect' way so any criticsm is welcome :)
i'm currently writing a Application based on YII.
My action for index:
public function actionIndex() {
$data = array();
$data['server'] = Server::model()->findByPk(1);
$data['dataProvider'] = new CActiveDataProvider('ServerUserPermission', array('criteria' => array('condition' => 'serverID=:id', 'params' => array(':id' => 1))));
$this->render('index', $data);
}
my ajax action:
public function actionAddPermission($server) {
if(Util::checkServerPower($server, Permission::MODIFY_SERVER)) {
$perm = new ServerUserPermission;
$perm->userID = 1;
$perm->serverID = $server;
$perm->power = 10;
try {
if ($perm->save()) {
echo "OK";
} else {
echo Util::print_r($perm->getErrors());
}
} catch (Exception $e) {
echo 'Critical Error Code: ' . $e->getCode();
}
} else {
echo 'No Permissions';
}
}
My view links to the addPermission action by using a button:
echo CHtml::ajaxButton("Insert New Player", array('addPermission', 'server' => $server->serverID), array('success'=>'refresh'));
My function Util::checkServerPower(...) checks the current User of the Application. Consequence: Ajax requests in YII are handled by an Guest AuthWeb User, but i need to check whether the User is actually allowed to add permissions or not. I currently cannot think of a secured solution to protect malicious data send by other guests or not. Is it somehow possible to get the (server-side) userID of the Ajax-call?
Thanks anyway
sincerly
I would do it by using the built in access control and extending CWebUser.
It might seem lengthy but I think it's a clean solution. (We already have Yii::app()->user->isGuest and the like, so why not check all permissions here?)
1) Activate the access control filter.
(In one controller or in /components/controller.php for all your controllers at once)
public function filters()
{
return array( 'accessControl' ); // Tell Yii to use access rules for this controller
}
2) Add an access rule
In the concerned controller. (Sorry, I didn't bother with your index-action.)
public function accessRules()
{
return array(
[
'allow',
'actions'=>['AddPermission'],
'expression'=>'$user->has(Permission::MODIFY_SERVER)'
],
['deny'], // Deny everything else.
);
}
3) Extend CWebUser
// components/WebUser.php
class WebUser extends CWebUser {
public function has( $permission)
{
// Check database for permissions using Yii::app()->user->id
...
}
}
4) Configure your app to use your new WebUser instead of CWebUser
// config/main.php
'components'=>[
'user'=>[
'class' => 'WebUser',
],
],
I am trying to implement the ACL tutorial found here:
http://book.cakephp.org/2.0/en/tutorials-and-examples/blog-auth-example/auth.html
I followed all the instructions, however when I try to go to [my_site]/users/add ERR_TOO_MANY_REDIRECTS error.
I found this on the Cakephp website:
This happens when for example we have an element that receives data
from a method of a controller, and the implementation of this method
requires conducting the login would create an infinite loop that
eventually will cause the browser to decline redirects
And they suggest this as the fix:
function beforeFilter () {
$ this -> Auth -> allow ( 'CONTROLLER_NAME' );
}
Which doesn't seem to work.
If I change the AppController from this:
public function beforeFilter() {
$this->Auth->allow('index', 'view', 'login', 'add');
}
to:
public function beforeFilter() {
$this->Auth->allow('*');
}
I dont get the error anymore but get redirected to [my_site]/users/login
Any suggestions as to what I am doing wrong that I can't view the User-Add page?
TIA!
UserController:
public function beforeFilter() {
parent::beforeFilter();
$this->Auth->allow('add');
}
Login function (UsersController):
Public function login() {
if ($this->request->is('post')) {
if ($this->Auth->login()) {
$this->redirect($this->Auth->redirect());
} else {
$this->Session->setFlash(__('Invalid username or password, try again'));
}
}
}
Auth Component Loader:
public $components = array(
'Session',
'RequestHandler',
'Auth' => array(
'loginRedirect' => array('controller' => 'projects', 'action' => 'index'),
'logoutRedirect' => array('controller' => 'pages', 'action' => 'display', 'home')
)
);
The error you are getting has nothing to do with ACL, but with the Auth component denying access to your UsersController add and login functions, to which it is trying to redirect the user. Make sure the add and login functions are public, by adding this line in your UsersController (rather than your AppController):
public function beforeFilter() {
$this->Auth->allow(array('add', 'login'));
}
The loop you are now encountering is because the add and login functions are not public and therefor the loop looks like: add -> Unauthorized -> login -> Unauthorized -> login ... and so on.
I finally managed to solve the problem with help Brian:
Do you have an requestAction() code? If so, try adding this in
AppController::beforeFilter()
if (isset($this->params['requested'])) $this->Auth->allow($this->action);
Please change your beforeFilter()'s Auth->allow('_CONTROLLER_NAME') to:
public function beforeFilter(){
$this->Auth->allow();
}
Hope that works for you!
I have basic authentication set up in a simple CakePHP 2.0 application. I first set up the application to use regular form authentication, then I added the following line to the beforeFilter() of my AppController.php to enable basic http authentication:
$this->Auth->authenticate = array('Basic');
Here's the full AppController:
<?php
class AppController extends Controller {
public $components = array(
"Session",
"Auth" => array(
'loginRedirect' => array('controller'=>'users','action'=>'index'),
'logoutRedirect' => array('controller'=>'users','action'=>'index'),
'authError' => "You are not authorized to view this page.",
'authorize' => array('Controller'),
)
);
public function isAuthorized($user) {
return true;
}
public function beforeFilter() {
parent::beforeFilter();
$this->Auth->allow('index','view');
$this->set('logged_in', $this->Auth->loggedIn());
$this->set('current_user',$this->Auth->user());
$this->Auth->authenticate = array('Basic');
}
}
?>
Ideally I'd like one specific controller (a controller which will expose an API for use with a mobile device) out of the entire application to use only Basic HTTP authentication, and the rest of the controllers to behave like a normal web application.
Currently if I pass incorrect credentials to the controller I get an HTTP 302 response, when I'd really like a HTTP 401 to be passed back. How can I do this?
*edited for typo
public function beforeFilter() {
parent::beforeFilter();
$this->Auth->allow('index','view');
$this->set('logged_in', $this->Auth->loggedIn());
$this->set('current_user',$this->Auth->user());
if($this->name == 'Specific') {
// for the specific controller
$this->Auth->authenticate = array('Basic');
} else {
// everything else
}
}
checkout KVZ's rest plugin it may be of interest
https://github.com/kvz/cakephp-rest-plugin
I haven't tried 2.0 yet, but usually what Auth does is use setFlash to set the error message, then redirect you somewhere to show you that message. That's probably why you're getting the 302 redirect.
How about manually setting the header and then exiting?
e.g.
public function login() {
if ($this->Auth->login()) {
return $this->redirect($this->Auth->redirect());
} else {
header("HTTP/1.0 401 Unauthorized");
exit;
}
}
In cakePHP 2.x you can create a custom status code e.g.
if ($this->Auth->login()) {
return $this->redirect($this->Auth->redirect());
} else {
throw new MissingWidgetHelperException('You are not authorized to view this page.', 401);
}