cakePHP - how does the AuthComponent authenticate? - php

I'm trying to wrap my head round how the auth component authenticates.
Currently my AppController looks something like this.
class AppController extends Controller
{
var $components = array('Auth', 'Session');
function beforeFilter()
{
$this->Auth->loginAction = array('controller' => 'users', 'action' => 'login');
$this->Auth->loginRedirect = array('controller' => 'users', 'action' => 'index');
$this->Auth->logoutRedirect = array('controller' => 'users', 'action' => 'login');
}
}
If I was to leave my login action completely empty, the auth component will still try to authenticate when the user reaches the login page.
Is this how it should be? Couldn't this be a problem if it's always trying to authenticate?

If the requested action is the action configured in AuthComponent::loginAction (UserController::login by default) and $this->data contains the fields configured in AuthComponent::userModel/AuthComponent::fields (User.username and User.password by default), the AuthComponent will try to authenticate the current user. It'll automatically try this after Controller::beforeFilter was executed but before the requested action is called. If the login was successful (and any additional restrictions you may have applied in the AuthComponent configuration have cleared), it'll redirect to where the user came from, otherwise it'll execute the requested action as usual.
So no, this won't pose a problem, since it'll only attempt authentication under these particular circumstances.

Related

CakePHP loginAction not working

What I want:
When a user is not logged in and tries to visit the site at any url they get redirected to /landing (which has a form on it that posts to /login)
What is happening:
When a user is not logged in and tries to visit the site at any url they get redirected to /login
In my AppController I have:
public $components = array(
'Auth' => array(
...
'loginRedirect' => array('controller' => 'twitter', 'action' => 'index'),
'loginAction' => '/landing',
'logoutRedirect' => '/landing',
'unauthorizedRedirect' => '/landing',
'authorize' => array('Actions' => array('actionPath' => 'controllers'))
));
public function beforeFilter() {
$this->Auth->allow('login', 'landing');
}
I thought 'loginAction' => '/landing' would have been the solution but it has not helped
Any ideas?
You are missing the controller?
'Auth' => array(
'loginRedirect' => array(
'controller' => 'items',
'action' => 'index'
),
'logoutRedirect' => array(
'controller' => 'users',
'action' => 'login'
),
'authenticate' => array(
'Form' => array(
'passwordHasher' => 'Blowfish'
)
)
)
From your snippet it looks like you're putting $this->Auth->allow() rules in the beforeFilter() method of AppController:
public function beforeFilter() {
$this->Auth->allow('login', 'landing');
}
The problem is that since your /landing route points to your pages controller and /login to your users controller, unless your controllers' beforeFilter() method call their parent's method like this:
public function beforeFilter() {
parent::beforeFilter();
}
these rules won't ever take action. And if you add this code above, you're actually allowing both landing and login methods in both controllers (if they exist).
The way it is now, the parent is (apparently) never called, and so when you visit a url like /bogus, you get redirected to /landing as you've set in AuthComponent's loginAction. But since this is never explicitely allowed in pages controller beforeFilter(), you get redirected again to /login. The whole process looks like you are always redirected to /login no matter what url you visit.
Keep in mind, that as you have it, the allow() rule for login is neither executed. You're able to visit /login though, because cake automatically allows it (or else you would end up in an endless loop).
So first remove the landing rule from allow(). You don't need it.
Then move the beforeFilter() code to the pages controller. Change landing to display as the method that is called is display inside that controller, being passed the argument landing. There's no landing method there (I assume - and if there is, the route is pointing to pages' display so it wouldn't have any effect)!
This last change will make display action allowed for any given page passed as argument (like landing, home, eula or whatever else you might be having). If you don't want that you should add a check either in the beforeFilter() or the display() and only allow the request to continue if the argument is landing.

Zend Controller redirect in init() method

class IndexController extends Zend_Controller_Action{
public function init(){
if(!isset($_SESSION['administrator'])){
$this->_helper->redirector->gotoRouteAndExit(array('controller' => 'index', 'module' => 'cp', 'action' => 'login'), null,!0,!0);
}
}
}
I tried on Firefox, it shows me:
Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
But when I put redirector outside of init() method, it works.
public function indexAction(){
if(!isset($_SESSION['administrator'])){
$this->_helper->redirector->gotoRouteAndExit(array('controller' => 'index', 'module' => 'cp', 'action' => 'login'), null,!0,!0);
}
}
Can anyone help me?
Edit:
I don't want to repeat the "redirect code" because there are many other actions need to be checked permission in the same controller.
The problem is, that on index/login, you also run the init() method, detect that the user is not an admin, and try to again redirect him to index/login, which will run the init() method again, detect that he still is not an admin... and so on. Thus the infinite redirect loop.
So in your init() you may first check if you are trying to call the login action, and only if not, check for admin permissions and redirect to index/login.
In your concrete case, you may want to change your init() method as follows:
public function init(){
if ($this->getRequest()->getActionName() !== 'login' && !isset($_SESSION['administrator'])){
$this->_helper->redirector->gotoRouteAndExit(array('controller' => 'index', 'module' => 'cp', 'action' => 'login'), null,!0,!0);
}
}
This excludes the login action from checking admin permissions and redirecting, breaking the infinite redirect loop.
The thing is, init() function will always runs first in any controller,
So When you do a redirect is init() it essential redirects to itself , which will create infinite loop in your case, so it will keep redirecting to itself, as "BluePsyduck" Suggested.
So do the alternate what you have already done and redirect it in index Action of your controller..

Adding a user from index doesn't work using CakePhp

I'm using CakePhp 2.3 and am trying to allow a user to create an account from the home page. I'm new to cakephp and so far I've followed implementation described here: http://book.cakephp.org/2.0/en/tutorials-and-examples/blog-auth-example/auth.html
Now every time I access the index page (localhost) I am redirected to the users/login page. I've played around with changing the components array in the AppsController, but if I don't include the Auth component then when I call the function add in the USerController, then I get a Call to a member function allow() on a non-object error. I'm not sure how to continue. Right now my AppController class looks like this:
class AppController extends Controller {
public $components = array(
'Session',
'Auth' => array(
'loginRedirect' => array('controller' => 'posts', 'action' => 'index'),
'logoutRedirect' => array('controller' => 'pages', 'action' => 'display', 'home'),
'authorize' => array('Controller') // Added this line
)
);
public function beforeFilter() {
$this->Auth->allow('index', 'view');
}
}
All I want to do is be able to add a new user row from the index page. Any ideas or other suggested reading? Thanks!!!
Configure your home page / by using the router to use the posts/index action.
Router::connect('/', array('controller' => 'posts', 'action' => 'index'));
Also I guess you're not calling the parent::beforeFilter() in your whatever controller is used for the home page. Allowing actions in the AppController is a bad idea because it just opens security issues. One day you need an index that should not be public and forget about it OR your have to change all allow() calls.
However, why do you have the login in the posts context? That's wrong. User related actions should belong to the right context: Users controller and model.
If you add the key 'authorize', I think you should define the function 'isAuthorized' as described here : http://book.cakephp.org/2.0/en/tutorials-and-examples/blog-auth-example/auth.html
How looks like your default index page ?
If it's the defaut "home.ctp", displayed by the PagesController, you have to allow 'display' as an allowed action :
$this->Auth->allow('index', 'view', 'display');
HTH
go to app->config-> routes.php and change the action to index as #burzum said
and then go to your UsersController or PostsController whatever your controller is call beforeFilter like this
<?php
class UsersController extends AppController {
public function beforeFilter() {
parent::beforeFilter();
}
public function index(){
}

CakePHP upgrade from 1.2 to 1.3 is now giving redirect loops

I recently upgraded from CakePHP 1.2 to CakePHP 1.3 and now I have some code that is trapping the user in a redirect loop. This is after the user has successfully logs in and decides to click on a link to manage emails.
I have some code in a controller where the index() method will check if the current user is an admin or not. If the user is not an admin it will do the following:
function index()
{
if ($this->Session->read('is_admin') < 1) {
$this->redirect(array('controller' => 'emails', 'action' => 'view', 'id' => $this->Session->read('username')));
}
//...more code...
}
This is intended to redirect the user to a view() method and display only their email and not everyone's email. What is happening when I debug this is the redirect keeps ending up in the index() method.
Is there something new in CakePHP that I'm missing? Is it a no-no to use the name "view" as an action in a controller?
* EDIT *
Okay, I was a little premature with this post. The code in the view($username) method is being reached. But the thing is the $username is not defined and I have some client code that is then redirecting back to the index() action if it is not defined.
I did check the original redirect and the $this->Session->read('username') is populated with the username but it is just not being passed in the view()'s $username argument.
Thanks!
It turns out the redirect signature changed from 1.2 to 1.3:
http://book.cakephp.org/view/1561/Migrating-from-CakePHP-1-2-to-1-3
Library Classes > Router
// CakePHP 1.2 way
$this->redirect(array('controller' => 'emails', 'action' => 'view', 'id' => $this->Session->read('username')));
// CakePHP 1.3 way
$this->redirect(array('controller' => 'emails', 'action' => 'view', $this->Session->read('username')));

Attempting to figure out which line is doing the redirect to the login page

I implemented security according to the acl tutorial on the www.cakephp.org website. I'm trying to figure out which line of code is responsible for redirecting a user to the login page if they aren't already logged in. As a test, I commented out several lines from the beforefilter() function in app_controller.php so that it now looks like this:
function beforeFilter() {
//Configure AuthComponent
$this->Auth->authorize = 'actions';
$this->Auth->actionPath = 'controllers/';
// $this->Auth->loginAction = array('controller' => 'users', 'action' => 'login');
// $this->Auth->logoutRedirect = array('controller' => 'users', 'action' => 'login');
// $this->Auth->loginRedirect = array('controller' => 'alerts', 'action' => 'home');
// $this->Auth->loginRedirect = array('controller' => 'schedules', 'action' => 'index');
$this->Auth->allowedActions = array('display');
}
But I'm still being redirected to the login page.
The reason I'm asking about this is because my cakephp site is being served through a proxy server and I need to use relative url references, but the login redirect is using an absolute reference.
The actual redirection is done in AuthComponent::startup(). In there AuthComponent::isAuthorized() is called, and in your case (with Acl configured) Acl will be used to do the checking.
Changes to the settings in your beforeFilter() will no have any affect on the behavior. More than likely, you are failing the Acl->check() and being redirected on line 450.
See here - https://github.com/cakephp/cakephp/blob/master/cake/libs/controller/components/auth.php#L309, and https://github.com/cakephp/cakephp/blob/master/cake/libs/controller/components/auth.php#L450
To handle your redirect related issue, look at possibly overriding Helper::url(). Create an app/app_helper.php, define a class AppHelper that extends Helper... and provide a url method. Examine the passed arguments, return the appropriate url.

Categories