Prefix is a convenience in which you can have the option to build up
security for it, that's why it's named prefix rather than admin, it's just
admin is a very common prefix.
Some people like to make their prefixes obscure (Security through
obscurity), i.e. rather than type admin/users/index you would need to type
acp/users/index (i.e. admin control panel).
As for the security part of things, there are all sorts of ways of going
about this. A common way is to check if the admin prefix is in use in your
app controller's beforeFilter method, if the user is accessing the admin
prefix then you simply check their user_type_id field.
if($this->params['prefix'] == 'admin') {
if($this->Auth->user('user_type_id') != Configure::read('AdminTypeId)) {
// User does not have access to this page, redirect them etc
}
$this->layout = 'name_of_admin_layout';
}
*In the above example I used Configure::read, that's just because I don't
like to check against foreign keys in my code, I prefer to store them in a
config file so if I reference an id more than once - I don't need to update
it several times.*
The benefit of this is that you only ever have to check if the person
accessing /admin/... has permission in once place. You're basically just
checking the user's session in a very non-taxing way which has no real
strain on the application.
isAuthorized can be used on login ideally, an example usage would be if you
had a banned or deleted field in your database table, you can check these
fields and decide what to do, for example:
public function isAuthorized($user) { if($user['deleted'])
{ $this->Session->setFlash('This account has been
deleted.', null,
null, 'auth'); $this->redirect($this->Auth->logout());
return
false; } return true; }
In short I think using a prefix is pretty useful and great for admin
sections, you can separate your admin methods from your regular
methods and you don't need to check permissions all over the place.
The worst admin integration would have to be once I saw somebody made
an admin controller which was pretty nasty...
On 3 January 2014 15:52, David Deley <[email protected]> wrote:
> I understand a user can not directly access mysite.com/users/admin_index
>
> Instead they go to mysite.com/admin/users/index
>
> But, is there any automatic security checking? Because anyone can type in
> mysite.com/admin/users/index
>
> Is it still up to the UsersController to filter out unauthorized users?
> such as have an IsAuthorized setting, or the function admin_index still
> needs to check the user's privileges and reject the request if the user
> doesn't have admin privs?
>
> In which case I don't see the advantage of using the admin_ prefix. Seems
> like a big security problem if every controller function needs to check the
> user's privileges. Is there a better way I'm missing?
>
> Can IsAuthorized somehow say only admin users are allowed to run admin
> functions?
>
> --
> Like Us on FaceBook https://www.facebook.com/CakePHP
> Find us on Twitter http://twitter.com/CakePHP
>
> ---
> You received this message because you are subscribed to the Google Groups
> "CakePHP" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> Visit this group at http://groups.google.com/group/cake-php.
> For more options, visit https://groups.google.com/groups/opt_out.
>
--
Kind Regards
Stephen Speakman
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/groups/opt_out.
