I am completely and utterly lost on how to do this. I have 3 different roles : Admin, Staff and Donors. My problem is that It really gets confusing(for me anyway) with permissions and as well as appropriate redirections, should an unauthorized user tries to access an action from the URL.
In my UsersController I have the following actions
non-prefixed actions
The admin should be allowed to access all admin-prefixed actions as well as login and logout, whilst the staff and donor should only be able to access the latter 5. Also note that all users are using the same login form.
In my AppControlles's component I have the following :
'Auth' => array(
'loginRedirect' => array(
'controller' => 'donors',
'action' => 'index'
),
'logoutRedirect' => array(
'controller' => 'users',
'action' => 'login'
),
'authorize' => array('Controller')
)
However, In my login action I check for the user role to change the loginRedirect accordingly :
if($this->request->is('post')){
if($this->Auth->login()){
switch($this->Auth->user('role')){
case 'admin':
$this->Auth->loginRedirect = array('controller'=>'users','action'=>'admin_index','prefix'=>'admin','admin'=>true);
break;
case 'donor':
...
break;
case .....
}
}
}
Question 1
Now, if a current user with a role of donor is logged in, and tries to access localhost/sitename/admin/users/add he is redirected to admin/donors rather then just /donors . So how am I able to remove the admin prefix ?
Question 2 Also I do not fully understand hwo $this->Auth->allow(), works.. If In my donorsController I want to control the access to the controllers action according to roles, how can I do it? So for instance, If there is the 'delete' action in my donorsController, How will I be able to permit the staff user whilst denying the donor user to access the delete action. I believe the beforeFilter is the solution, but can't find how to do it! Any pointers ? Thanks
1) In your login() action impelement a check for the user role, if the role is admin redirect to whatever controller/action and set the admin prefix. If hes not an admin redirect him to something else.
if ($this->Auth->login()) {
if ($this->Auth->user('role') === 'admin') {
$this->redirect(array(
'admin' => true,
'controller' => 'foo',
'action' => 'bar')));
} else {
// Do something else, another redirect or whatever
}
}
There is no need to remove the /admin from the URL as it should show the user hes not authorized when he tries to access an URL he is not allowed to.
2) If you want to grant access for different roles you can use the SimpleRbacAuth I've written. Check the tests for examples of how it works. You simply define a nested array structure and add the roles you want to an action or a whole controller or grant access to everyone by using *.