I'm having a hard time understanding how the CakePHP admin system works.
Should all controllers who has an action which requires login include AuthComponent or just the one who handles the login/logout?
Let's say I want to protect the add action of a controller. First I create admin_add() in the controller and then in the beforeFilter() method I check if $this->Session->check('Auth.User') is set a redirect based on this? Turns out it was better to just controll this with $this->Auth->allow()
What is the easiest way to return to the URL the user was trying to access? Is there a better way than setting a session variable? Turns out it does this automagically :)
If someone has a good tutorial for this I would happily read it :)
I've already read this tutorial but I found it to be a little to basic and the CakePHP-docs are not that great on this topic either.
There is no Cake admin system as such. There is Authentication component and there is Access Control List component. You can use only Authentication component if you wish or you can use both of them. If you want to create your admin system from scratch follow this tutorial. Or you can try already created admin panel - PoundCake Control Panel.
we have created an admin system for cakePHP, works similar to the scaffolding but it's configurable and ready to deploy, check it at http://browniephp.org
You can learn a lot from others codes, specially something like CakePHP Admin plugin at: https://github.com/Maldicore/Admin
Related
We have eZPublish 5. The authentication is handled by User kernel module kernel/user/login.php. This PHP script is called when trying to access a siteaccess which requires authentication.
Example scenario:
When trying to access http://example.com/marketing
it redirects me (when not logged in) to http://example.com/marketing/user/login
Which is expected behaviour.
What I would like to achieve is to rewrite the kernel/user/login.php file and preferably keep the url the same (this is not mandatory).
I need to do this because I need to integrate Duo Security Multifactor Authentication, so I need to handle the logging in in a custom way.
So on the first page I need to display the login form, then when it is submitted I need to verify if credentials are correct (but not log in the user at this phase) then I need to return another view where an iframe is present for the second authentication, and when the second authentication is successful only after that I can login the user and redirect him/her to the desired page.
Is there any way how to do this? I tried to create an extension with a module user and view login.php but it doesn't worked - the User kernel login.php is executed always when http://example.com/marketing/user/login is hit.
I am trying to do this for several days now but no luck and I'm out of ideas.
Thanks in advance for any help.
Welcome to the eZ Community!
What you want / need is both possible and quite simple to implement :)
First based on your description I recommend the following:
https://github.com/brookinsconsulting/bckernelmoduleoverride
Note: We forgot to package and release this extension some time ago but have been using it as part of our open source ezpedia.org code base. We thank you for reminding us and prompting us to package the code for individual usage.
Concerning double authentication we did something similar but actually quite different with this solution:
https://github.com/brookinsconsulting/bcconfirmpassword
Now code sharing aside. You may want to first study the login handler system which provides for many forms of custom user authentication system. https://en.ezpedia.org/en/ez/login_handler
Yet from your description and some intuition on our part it truly sounds like without more information that you very well do need to both override the default user/login module view (what we call a kernel module view copy override; copy the default module and customize the code within an extension module). We have done this -a lot- for special customer use cases and it's not very hard.
Most of the time the hard part is getting all the module and module view identifiers to not conflict once within an module extension and we think that will be less of a problem for you if you simply use / leverage the bckernelmoduleoverride extension which provides for using default kernel modules and module views customized within a module view extension.
Please feel free to ask further questions or share more information about your custom authentication system your trying to integrate. Frames in this day and age sounds like a painful system to be required to implement for a secondary authentication system.
We hope this helps!
Note: This thread is cross posted from: http://share.ez.no/forums/ez-publish-5-platform/ezpublish-5-custom-user-authentication-multifactor
hi I am developing custom component in joomla 1.7 I want to restrict user task based on user groups. I have created table and saved all the controller names and tasks and saved the permissions for the previous tasks with user group id. In central com_component.php file I check the user permissions and authorized the taks with controller. This is working really well. What I want to know is can I use addACL() or authorized() functions to do this which is I really don't understand correctly. Bcoz Here I want use both controller and task together.
Developing a component with the Access Control List is described on Joomla! documentations in detail (link). I think the first thing to do is follow the instructions described there. There is even sample code that you can download and use.
The plugin 'GroupJive' for the Community Builder component has ways to do what you are looking for. I would look to that project at least for a guideline. I will be digging into a similar challenge this weekend and if I find code without the need for the component I will let you know.
I have built an app using codeigniter which has 3 different member groups
Admininstrators - Who login to a dashboard and have CRUD facilities to Add/Edit/Delete Events, shows and artists
Clients - Who Login from the front end and see all the items that the admin have added via the back end.
Media Partners - Who Login from the front-end and see certain parts of what the client can see but not all things.
I have integrated the Tank_Auth Library for the Clients section which all works fine. What I would like to achieve though is for the administrator to be able to login to a seperate admin area and the media partners to be able to login to a seperate area too.
What is the best way to approach this?
Do I need to create sepearate dashboard controllers for each userbase and duplicate the Tank_Auth controller 3 times and tweak this?
Ideally The Admin users also need to be able to add news users and login to all 3 seperate areas?
Has anybody achieved such a solution before, If so how did you go about it? perhaps tank auth isn't the correct approach?
Any input would be appreciated.
Thanks Dan
I am using CI, but haven't used Tank_Auth, I have my auth class and in every function I have the following method called: $this->auth->accessMap(get_class($this),__FUNCTION__);
In auth class:
public function accessMap($controller_name,$function_name)
{
if ($this->perms_array[$controller_name][$function_name])
return true;
else $this->redir();
}
I have permissions array in config:
$config['user_perms']['className']['method1'] = array($config['user_types']['admin']);
$config['user_perms']['className']['method2'] = array($config['user_types']['admin'],$config['user_types']['user']);
Like this you can specify for each method which user has permission to use it.
I hope this will help.
I can't find the thread on the CI forums because I can't seem to login to their website right now, however do a search for 'zend_acl in codeigniter'. Alternatively there is this blog post about how to implement it, but it is slightly dated.
ACL stands for Access Control List, it will allow you to setup various permissions for different types of users. Zend has one of the best implementations of ACL in my opinion.
More information about ACL's can be found on zend's website.
Absence of user group is a pain when using tank_auth if we have multiple user groups. I ran into this issue recently. Here is the solution posted in CI forms.
Using tank_auth for both front end user registration and login and back end admin login
I am developing the ability for administrators to log in and I'm to the point of creating the admin log-in page, but I'm somewhat torn as to where the best place to put it.
For details, this is part of an MVC framework, and the administration portion is in it's own folder - /admin; so administration is completely separate from the public portion of the site.
I would like to place the actual log-in page in its own php file for security by separating it from the rest of the site. That way if they bust one, they don't bust all. However, then you get to the point of processing the log-in request - should it be in the same PHP file as the log-in, or should it reside in another file, or should all of this just be part of the framework?
Any suggestions would be much appreciated.
EDIT: just for some clarification, this is my first time creating any sort of user system, so please bear with me :) (Any good tutorial/example links are greatly appreciated too).The admin portion of the site is in it's own folder but uses the same base files, classes, etc as the front end - the files are only overwritten in the admin portion as needed. Also, an 'admin' is just a certain user type - roles and permissions have already been figured out.
I'm just having a hard time starting - particularly where to implement/put the login form. I thought it would be best for security to have a physically separate file for login, but I see that might not be the case.
I agree with the rest of the posts, Admin should be in the same work-flow. Here is a good example to reference.
Using the same login system for both admin and users will enable you to simplify your application. First off, you'll only need to create one login form. Secondly, if the admin section is part of the same codebase, you'll gain a huge benefit from being able to access all of the classes used throughout the site. If you used an MVC architecture, you'll probably want to use the same models in the admin as you do on the site. Even if you didn't, there is probably still a lot of code you can reuse for the admin section (base classes, database abstraction layer, shared settings/configuration, etc).
IMHO, Admin should login through the same form as regular user, but permissions should allow him to view additional content.
You can place admin forms in any folder, and then allow admin to access it.
I think the admin user should just be another class of user (or be an option for a normal user). Take note that there's slightly more chance of granting access to a normal user by mistake with this approach.
I am currently wondering how a centralized page authenticator could be achieved. Can anyone suggest a neat algorithm for me? What I intend to achieve is to make my backend administrator pages session protected without writing a piece of session checking code to each of my pages that I want protected. I currently do something like this:
login page -> if right credentials : set session -> if view protected page without session : reject else : permit
Any best practices (or a better method) on/than this?
I would not so much want to suggest an algorithm, but a library/framework instead.
If your application has a single entry point, that is the place to call your session management library/framework. For example with the Zend Framework you can initiate your session in the bootstrap. The only thing left is to authenticate a session in the login controller.
If you're architecting a PHP app that has multiple entry points you will go crazy trying to copy and paste all this code. Look into using a real MVC framework.
I use Zend_Controller to route my pageviews in situations like this.
Once you architect your app in that way, it becomes simple to add some code to the predispatch() method of your restricted controllers to do authentication and redirect to a login page if it is not found or is invalid.