Handle requests to your Cake3 controller methods based on a permissions array.
CakePHP version 3 does not come with ACL anymore. For those of us fond of this, some might remember the complications with the extra 3 database tables, difficulties testing the system, etc.
Pass in the array of permissions to the component after the user has been detected by the AuthComponent.
- This component restricts access to controller methods.
- Keep the permissions in an easy to see & test PHP array.
- Load the component in the AppController, and pass it the permissions the user requires.
- Wildcard the whole app or controller for specific user groups!
// keep a $permissions array, somewhere, use a db or flat-file:
$permissions = [
'admin' => '*', // admins can access all controllers & all methods
'customer' => [
'Products' => '*', // customers can access all the methods of the ProductsController
'Users' => ['my_account', 'contact'], // customers can only access these two methods in UsersController
],
'banned' => [], // banned users cannot access anything
];
// In your AppController:::initialize()
$user = $this->Auth->user();
if ($user) {
// user is logged in, so we can load the Acl
// no need to load Acl if we are not logged in, right?
// users.role in your db corresponds to the $permissions key, admin, customer or banned in this example
$this->loadComponent('Acl', $permissions[$user->role]); For small apps you might keep the role as a string in your db, but larger applications will require a users.group_id and a groups table. The same strategy applies, just use the groups.name value.
fork and pr