Authorization checks are only made after successful authentication, see AuthComponent::startup()
.
public function startup(Controller $controller) {
// ...
// authenticate first
if (!$this->_getUser()) {
return $this->_unauthenticated($controller);
}
// then authorize
if ($this->_isLoginAction($controller) ||
empty($this->authorize) ||
$this->isAuthorized($this->user())
) {
return true;
}
// ...
}
So the solution should probably be to log in first.