cakephp-3.0cakedc

CakeDC/Users permissions for not-logged in visitors


I'm playing around with the CakeDC/Users plugin and I can't for the life of me figure out how to give permission for non-logged in visitors (lets call them 'guests') to access things like my /pages/home, or if I was to do a Blog plugin, allow guests to see posts etc (but not edit).

Is this possible using the 'permissions.php' file? Seems to only work for user groups (admin and user) rather than guests? Or do I have to play around with $this->Auth->allow() and $this->Auth->deny() as in this post which seems to make the permissions.php file kinda pointless...


Solution

  • RBAC permissions defined in CakeDC/Users are checked in the authorization step, which means you have a user already logged in (authenticated) requesting access to a specific controller/action.

    All these checks happen in the core CakePHP AuthComponent per the plugin configuration.

    You want to exclude specific pages from Auth, which is something managed outside of the plugin (for now). The right way to do that is using

    $this->Auth->allow('yourAction');
    

    In the controller's beforeFilter function.