sessioncakephpauthentication

troubleshooting Cakephp auth component not allowing allowed actions


Original question.

I am using the Cakephp auth component to manage an admin section. This is using version 1.3.11

The problem I'm having is that even with allowed actions in each controller, I'm being redirected to the user login page.

Here is what's in the app controller:

class AppController extends Controller {

var $components  = array(
'Auth' => array(
'authorize' => 'controller'
),
'Session',
'RequestHandler'
);

public function isAuthorized() { 
return true; 
}

function beforeFilter(){
    $this->Auth->authorize = 'controller';
    $this->Auth->fields = array('username' => 'username', 'password' => 'password');
    $this->Auth->loginAction = array('controller' => 'users', 'action' => 'login');
    $this->Auth->authError = 'Please login to view that page ';
    $this->Auth->loginError =' The user name or password you entered did not work, please try again ' ; 
            $this->Auth->allow('display');
    $this->Auth->loginAction = array('controller' => 'users', 'action' => 'login'); 
    $this->Auth->logoutRedirect = array('controller' => 'users', 'action' => 'logout'); 
    $this->Auth->loginRedirect = array('controller' => 'pages', 'action' => 'display', 'home');     
}

This is what's in the users controller: class UsersController extends AppController {

var $name = 'Users';

function beforeFilter() {
    parent::beforeFilter();
    $this->Auth->allow = array('add');  
}

This is what's in the posts controller:

class PostsController extends AppController {

var $name = 'Posts';
var $components = array('Session','RequestHandler', 'Email');   

public function beforeFilter() {
    parent::beforeFilter();
    $this->Auth->allow = array('edit'); 
}

What I do find is that after I've logged in I'm able to access the home page, as expected. Then when I go to the logout the session isn't entirely destroyed so I can go back to the 'admin' section.

I did try using $this-session('destroy'); in the logout action, but when I did the allowed actions didn't work again.

Does this make sense? Shouldn't allowed actions be independent of a current session?

After a lot of testing what appears to be the issue is that the 'before:filter' in individual controllers isn't being recognized. Example in the post controller:

    public function beforeFilter() {
    parent::beforeFilter();
    $this->Auth->allow = array('edit'); 
}

Has anyone had this happen before? I've referred to the cakePHP manual as well as many online articles and tutorials and it doesn't make any sense to me. I've even tried to build a simple application with just the users and post controller and still, the before:filter settings in each controller aren't being recognized.


Solution

  • Make sure you are not using requestAction in any of your elements or views, make sure that the actions called by requestAction are allowed too.... this should fix it.