Skip to content

Yummy ACL

Jump to bottom
Chris Nizzardini edited this page Sep 14, 2017 · 18 revisions

Welcome to the YummyAcl documentation. This is a rudimentary ACL system. It was designed to be easy to understand and easy to implement. YummyAcl works in conjunction with the CakePHP3 AuthComponent and FlashComponent and will not work without these. ACLs can be configured at the controller level in your beforeFilter method or with a config file. This is a group (i.e. admin, manager, user) based ACL system that requires no database.

Configuration

Load YummyAcl in your applications AppController.

File: src/Controller/AppController.php

Example:

$this->loadComponent('Yummy.YummyAcl',[
    'group' => $this->Auth->user('group'),
]);

YummyAcl requires a group. This is the value of the current users group (i.e. admin group). Typically this is stored in the Auth Component, but you could read it in from the session or some other means.

Config Options

  • group (string|integer): the logged in users group (required)
  • redirect (string): where to redirect to if user is forbidden (defaults: Auth.unauthorizedRedirect)
  • use_config_file (boolean): whether to use a config file to define ACLs (defaults: false)

Defining ACLs in your controller

Use the YummyAcl->actions method to define ACLs on your controllers actions.

Example:

public function beforeFilter(\Cake\Event\Event $event) {

    parent::beforeFilter($event);

    /**
     * Use the allow method to define controller-wide ACLs.
     * In this example Root will have access to all actions, 
     * even those actions which are not explicitly defined
     */
    $this->YummyAcl->allow(['Root']);

    /**
     * Use the actions method to define which groups can 
     * access a specific action
     */
    $this->YummyAcl->actions([
        'login' => '*', // allow all 
        'logout' => '*', // allow all 
        'index' => ['Admin','Manager'], // allow Admin + Manager
        'view' => ['Admin','Manager'], // allow Admin + Manager
        'edit' => ['Admin'], // allow Admin
    ]);
}

We use the wildcard (*) to indicate all users can login and logout. Otherwise we pass in an array of allowed groups.

Defining ACLs in a config file

If you would rather specify ACLs in a cake config file you can do so by creating a config/yummy_acl.php file and loading the component with use_config_file => true. Using a config file has many benefits over scattering ACLs across many controllers. It's easier to manage, you can use a caching engine for performance, and you'll have a nice history of ACL changes over time in your version control.

$this->loadComponent('Yummy.YummyAcl',[
    'group' => $this->Auth->user('group'),
    'use_config_file' => true,
]);

File: config/boostrap.php

Configure::load('yummy_acl', 'default', false);

File: config/yummy_acl.php

return [
    'YummyAcl' =>[
        'Dashboard' => [
            'allow' => '*',
        ],
        'User' => [
            'allow' => ['Root'],
            'actions' => [
                'login' => '*',
                'logout' => '*',
                'index' => ['Admin','Manager'],
                'view' => ['Admin','Manager'],
                'edit' => ['Admin'],
            ]
        ]
    ]
];

Exceptions

Cake\Network\Exception\InternalErrorException

Generally you'll receive these if you have not correctly configured something. It should display a message indicating the necessary course of action to take.

Cake\Network\Exception\ForbiddenException

This will only be thrown if no redirect path is configured in Auth or YummyAcl.

Clone this wiki locally