My bad. I was not returning 'true' from isAuthorized. Jeremy Burns Class Outfit
[email protected] http://www.classoutfit.com On 2 Dec 2010, at 07:48, Jeremy Burns wrote: > I feel like I ought to know this, but am struggling <embarrassed>. > > I am using the Auth component (not Acl). I have an isAuthorized > function in app_controller and another in my users_controller. The one > in users fires whenever someone calls an action in the users > controller; otherwise the one in app_controller is called. > > I have allowed access to the 'create' and 'logout' actions in the > users_controller. > > Here's my problem: if I allow access to the 'view' action, any user > can see any user record without being challenged even when not logged > in. If I leave 'view' out of $this->Auth->allow, no user has access to > it (not even the currently logged in user). Going to /users/view/1 > simply redirects to the home page (saying I do not have sufficient > rights). Also, if I don't specifically allow access to 'logout', the > logout actions fails. I thought this was allowed by default? > > I'm on version 1.3.6 Anyone got any hints? > > Code>>> > > I have this in my app_controller: > > var $components = array( > ..., > 'Auth' => array( > 'authorize' => 'controller', > 'loginError' => 'Your username and/or password are > incorrect. > Please try again.', > 'authError' => 'You do not have sufficient privileges > to view that > page.', > 'logoutRedirect' => array( > 'prefix' => false, > 'controller' => 'about' > ) > ) > ); > > I have this in my users_controller: > > function beforeFilter() { > parent::beforeFilter(); > > $this->Auth->allow( > 'create', > 'logout' > ); > } > > function isAuthorized() { > > if (isset($this->params['pass'][0])): > if (!$this->Auth->user()): > $this->Session->setFlash('You must be logged to > view that > record.', 'default', array('class' => 'no_entry')); > $this->redirect($this->Auth->loginAction()); > else: > if ($this->Auth->user('id') == > $this->params['pass'][0]): > $this->Session->setFlash('Welcome > back', 'default', > array('class' => 'success')); > else: > $this->Session->setFlash('You do not > have permission to view that > record.', 'default', array('class' => 'no_entry')); > $this->redirect('/'); > endif; > endif; > > else: > $this->redirect('/'); > endif; > } > > Check out the new CakePHP Questions site http://cakeqs.org and help others > with their CakePHP related questions. > > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] For more options, visit this group at > http://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
