【发布时间】:2016-06-25 09:58:54
【问题描述】:
我认为我的应用程序授权有误。我只想允许具有管理员角色的用户添加页面。但是我可以毫无问题地访问添加功能。所以这就是我所做的。
AppController
public function initialize()
{
parent::initialize();
$this->loadComponent('RequestHandler');
$this->loadComponent('Flash');
$this->loadComponent('Auth', [
'loginRedirect' => [
'controller' => 'Moves',
'action' => 'view'
],
'logoutRedirect' => [
'controller' => 'Pages',
'action' => 'display',
'home'
]
]);
public function beforeFilter(Event $event)
{
$this->Auth->allow(['index', 'view', 'display', 'english', 'italian', 'german']);
$this->Auth->loginAction = array('controller'=>'pages', 'action'=>'home');
$this->loadModel('Menus');
$main_de = $this->Menus->find('all', array(
'conditions' => array('Menus.action' => 'main_de')
));
$this->set('main_de', $main_de);
$main_us = $this->Menus->find('all', array(
'conditions' => array('Menus.action' => 'main_us')
));
$this->set('main_us', $main_us);
}
public function isAuthorized($user)
{
// Admin can access every action
if (isset($user['role']) && $user['role'] === 'admin') {
return true;
}
// Default deny
return false;
}
页面
public function isAuthorized($user)
{
// All registered users can add articles
if ($this->request->action === 'add') {
return false;
}
// The owner of an article can edit and delete it
if (in_array($this->request->action, ['edit', 'delete'])) {
$articleId = (int)$this->request->params['pass'][0];
if ($this->Articles->isOwnedBy($articleId, $user['id'])) {
return false;
}
}
return false;
}
编辑:找到解决方案,我在 loadComponent('Auth...
中忘记了 'authorize' => 'Controller'【问题讨论】: