Cross controller security in CakePHP

StackOverflow https://stackoverflow.com/questions/14667899

  •  06-03-2022
  •  | 
  •  

Question

I have the following situation: multiple views use a content editor that can upload files and retrieve a list of previous uploads via AJAX. I end up adding two actions to every controller for this. Instead, I want to have just one common single-purpose EditorController that handles the editor interactions for me.

The problem with this is access rights: I want the EditorController to check whether a request is coming from a valid source (that means a known action the current user has access to). In concrete terms, check that the request is coming from something like '/posts/edit/1' and that this is an action I am allowed to use.

Can this be done? What is a better way to achieve the same result? I currently have the functionality already packaged into a component I reuse. But I still repeat myself adding the same two actions to all my controllers.

Edit: From the comment below I was pointed to http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html#restricting-cross-controller-communication. The thing I want to achieve is very similar to SecurityComponent::$allowedControllers and SecurityComponent::$allowedActions, except that I would rather not explicitly whitelist the allowed controllers or actions, but rather have the access right inherited from the caller.

Was it helpful?

Solution

Using the Security component might give you what you want;

http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html

[update] Although the security component checks if a form posted was a valid form, it does not check if the current user has permissions to access a controller/action.

For this you'll need to implement an authorisation system, in combination with access control. This can be a simple 'access' controll for certain actions ("is a user logged in?"), or a more granular aproach using access control lists (ACL).

The cakephp manual has some examples for both. I'll post some links:

Authentication http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html

Access Control Lists http://book.cakephp.org/2.0/en/core-libraries/components/access-control-lists.html

And a tutorial on both http://book.cakephp.org/2.0/en/tutorials-and-examples/blog-auth-example/auth.html http://book.cakephp.org/2.0/en/tutorials-and-examples/simple-acl-controlled-application/simple-acl-controlled-application.html

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top