What is the difference between the Auth component and the ACL component in CakePHP?
This is a part of my Guide to setting up the CakePHP auth component series.
One of the things that I found most confusing about implementing the Auth component and ACL was their precise relationship, how they hung together, what one was and the other wasn’t or more specifically what one did and the other didn’t.
While conceptually not complicated – the Auth Component is something that identifies a user whereas the ACL component is something that takes that knowledge and says “what does this identified user have access to” – they seem (at first) so intermeshed in the “Automagic” functions of CakePHP that it can be difficult to establish what is causing what to happen.
I found this particularly so when, having not gone through the Simple-Acl-controlled-Application tutorial kindly provided by the CakePHP team, I dropped the Auth component into my components list and lo and behold I was required to authenticate against actions I had wanted protected.
It wasn’t until reading this article and doing a bit of experimenting i realised that while it was definitely “Authenticating” it was not “Checking access” so none of my ACL stuff was kicking in at all.
An example of how the two functions seem intermeshed is the allowedActions function that is specified in the beforeFilter:
$this->Auth->allowedActions = array(‘*’);
This is (as the method path shows) a function of the Auth component, but it relates to Access, in this case the actions of the controller. This is an important function to understand, this tells the AuthComponent to allow PUBLIC access to all actions, you can of course provide a specific array of actions here as well. The important thing to understand is that “public” is just a default state given to a non authenticated user, it is not a specific group you need to create and assign by default (which is the case in some authentication systems I’ve seen).
So remember that while a user can be “authenticated” that is, they are known to the system they are not necessarily being checked against their access profile, $this->Auth->allowedActions can confuse matters if you’re not careful because it can suggest that the authenticated person does or doesn’t have access to something (because they get redirected to the login page).
When working out what is tripping up a security response, use this handy guide to Debugging CakePHP Auth component which can tell you what is being validated against and thus if it is your dodgy ACL setup or just the default settings in the Auth component that are causing any problems.
Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.
Comments
No comments yet.
Leave a comment