2

I've installed CakeDC Users plugin and I found out that role, is_admin don't function by default. If I login with regular username role=registered and is_admin=0, I can still go to /admin/users/add/. Why are there two types of checks, role and is_admin, what if role=administrator and is_admin=0, or vice-versa?

I am looking for a preferred solution to this problem so I could secure admin section and make use of user roles on different pages. Still, can't understand why is_admin is present, when role=administrator could take care of it all.

Davit
  • 1,394
  • 5
  • 21
  • 47
  • This is not an issue of the plugin: You have to implement your auth application wide on your own. The plugin just gives you the basics but does not your job of customizing the app based on the requirements of your client. http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html – floriank May 26 '13 at 19:22
  • @burzum I did write it but I did not get why is there `is_admin` and `role` fields in default table. – Davit May 26 '13 at 19:23

2 Answers2

4

I solved the very same issue by adding the following piece of code in "app/Controller/AppController.php" in method "beforeFilter()" : 

    if (isset($this->params['prefix']) && $this->params['prefix'] == 'admin') {
        if ($this->Session->check('Auth.User.role') and 'admin' !== $this->Session->read('Auth.User.role')) {
            $this->Auth->deny('*');
            return $this->flash('Non admin access unauthorized', '/');
        }
    }

While I admit this solution is not optimal, it sure does the trick!

Justin T.
  • 3,643
  • 1
  • 22
  • 43
  • I have the same for first line, but instead of second line Session check I have `if ($this->Auth->User('role') !== "admin" || $this->Auth->User('is_admin') !== true)` what do you think about this? Is there any recommendation for me to switch to your version? Thanks. – Davit May 26 '13 at 19:24
  • @DachiN. : I would only rely on "role" field to assess admin access. Mainly because I do not see why a user would have both 'admin' role and is_admin=false. This is somewhat redundant to me. But YMVM – Justin T. May 26 '13 at 19:28
3

This is not an issue of the plugin: You have to implement your auth application wide on your own. The plugin just gives you the basics but does not your job of customizing the app based on the requirements of your client. I recommend you to read this chapter http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html

The is_admin check AND role field are there for multiple reasons: Your user can have any role but only if they have is_admin checked they can access an admin area for example. is_admin alone does not allow you to have roles. Both fields are there to cover different scenarios. Again, the plugin is thought to be a kick start and base you can build on. That's what you have to do when you want to customize it.

There is an example that shows pretty much how to use whatever you need:

http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#using-controllerauthorize

class AppController extends Controller {
public $components = array(
    'Auth' => array('authorize' => 'Controller'),
);
public function isAuthorized($user = null) {
    // Any registered user can access public functions
    if (empty($this->request->params['admin'])) {
        return true;
    }

    // Only admins can access admin functions
    if (isset($this->request->params['admin'])) {
        return (bool)($user['role'] === 'admin');
    }

    // Default deny
    return false;
}

}

floriank
  • 25,546
  • 9
  • 42
  • 66