Don't promote default allow

App controller isAllowed should, absolutely always default to false. Any controller overriding isAuthorized should fallback to calling the parent function. This also implies optimizing the code flow for normal users - not optimizing the code flow for admin user - which is effectively how the previous code worked.
quylt · Mar 26, 2012 · e974a80 · e974a80
1 parent 4c69b94
commit e974a80
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 31 deletions.
diff --git a/en/core-libraries/components/authentication.rst b/en/core-libraries/components/authentication.rst
@@ -645,10 +645,18 @@ checked::
             'Auth' => array('authorize' => 'Controller'),
         );
         public function isAuthorized($user = null) {
+            // Any registered user can access public functions
+            if (empty($this->request->params['admin'])) {
+                return true;
+            }
+
+            // Only admins can access admin functions
             if (isset($this->request->params['admin'])) {
-                return (bool)($user['role'] == 'admin');
+                return (bool)($user['role'] === 'admin');
             }
-            return true;
+
+            // Default deny
+            return false;
         }
     }
 
@@ -704,7 +712,7 @@ and authentication mechanics in CakePHP.
 
 .. php:attr:: authError
 
-    Error to display when user attempts to access an object or action to which 
+    Error to display when user attempts to access an object or action to which
     they do not have access.
 
 .. php:attr:: authorize
@@ -719,7 +727,7 @@ and authentication mechanics in CakePHP.
 
 .. php:attr:: flash
 
-    Settings to use when Auth needs to do a flash message with 
+    Settings to use when Auth needs to do a flash message with
     :php:meth:`SessionComponent::setFlash()`.
     Available keys are:
 
@@ -734,15 +742,15 @@ and authentication mechanics in CakePHP.
 
 .. php:attr:: loginRedirect
 
-    The URL (defined as a string or array) to the controller action users 
-    should be redirected to after logging in. This value will be ignored if the 
+    The URL (defined as a string or array) to the controller action users
+    should be redirected to after logging in. This value will be ignored if the
     user has an ``Auth.redirect`` value in their session.
 
 .. php:attr:: logoutRedirect
 
-    The default action to redirect to after the user is logged out. While 
-    AuthComponent does not handle post-logout redirection, a redirect URL will 
-    be returned from :php:meth:`AuthComponent::logout()`. Defaults to 
+    The default action to redirect to after the user is logged out. While
+    AuthComponent does not handle post-logout redirection, a redirect URL will
+    be returned from :php:meth:`AuthComponent::logout()`. Defaults to
     :php:attr:`AuthComponent::$loginAction`.
 
 .. php:attr:: request
@@ -755,7 +763,7 @@ and authentication mechanics in CakePHP.
 
 .. php:attr:: sessionKey
 
-    The session key name where the record of the current user is stored. If 
+    The session key name where the record of the current user is stored. If
     unspecified, it will be "Auth.User".
 
 .. php:method:: allow($action, [$action, ...])
@@ -783,7 +791,7 @@ and authentication mechanics in CakePHP.
 
 .. php:method:: flash($message)
 
-    Set a flash message. Uses the Session component, and values from 
+    Set a flash message. Uses the Session component, and values from
     :php:attr:`AuthComponent::$flash`.
 
 .. php:method:: identify($request, $response)
@@ -801,8 +809,8 @@ and authentication mechanics in CakePHP.
 
 .. php:method:: isAuthorized($user = null, $request = null)
 
-    Uses the configured Authorization adapters to check whether or not a user 
-    is authorized. Each adapter will be checked in sequence, if any of them 
+    Uses the configured Authorization adapters to check whether or not a user
+    is authorized. Each adapter will be checked in sequence, if any of them
     return true, then the user will be authorized for the request.
 
 .. php:method:: loggedIn()
@@ -828,9 +836,9 @@ and authentication mechanics in CakePHP.
 
 .. php:method:: mapActions($map = array())
 
-    Maps action names to CRUD operations. Used for controller-based 
-    authentication. Make sure to configure the authorize property before 
-    calling this method. As it delegates $map to all the attached authorize 
+    Maps action names to CRUD operations. Used for controller-based
+    authentication. Make sure to configure the authorize property before
+    calling this method. As it delegates $map to all the attached authorize
     objects.
 
 .. php:staticmethod:: password($pass)
@@ -839,9 +847,9 @@ and authentication mechanics in CakePHP.
 
 .. php:method:: redirect($url = null)
 
-    If no parameter is passed, gets the authentication redirect URL. Pass a 
-    url in to set the destination a user should be redirected to upon logging 
-    in. Will fallback to :php:attr:`AuthComponent::$loginRedirect` if there is 
+    If no parameter is passed, gets the authentication redirect URL. Pass a
+    url in to set the destination a user should be redirected to upon logging
+    in. Will fallback to :php:attr:`AuthComponent::$loginRedirect` if there is
     no stored redirect value.
 
 .. php:method:: shutdown($Controller)
@@ -850,7 +858,7 @@ and authentication mechanics in CakePHP.
 
 .. php:method:: startup($Controller)
 
-    Main execution method. Handles redirecting of invalid users, and 
+    Main execution method. Handles redirecting of invalid users, and
     processing of login form data.
 
 .. php:staticmethod:: user($key = null)

diff --git a/en/tutorials-and-examples/blog-auth-example/auth.rst b/en/tutorials-and-examples/blog-auth-example/auth.rst
@@ -316,10 +316,13 @@ Open again the AppController class and add a few more options to the Auth config
     );
 
     public function isAuthorized($user) {
+        // Admin can access every action
         if (isset($user['role']) && $user['role'] === 'admin') {
-            return true; //Admin can access every action
+            return true;
         }
-        return false; // The rest don't
+
+        // Default deny
+        return false;
     }
 
 We just created a very simple authorization mechanism. In this case the users
@@ -338,20 +341,20 @@ and add the following content::
     // app/Controller/PostsController.php
 
     public function isAuthorized($user) {
-        if (parent::isAuthorized($user)) {
-            return true;
-        }
-
+        // All registered users can add posts
         if ($this->action === 'add') {
-           // All registered users can add posts
             return true;
         }
+
+        // The owner of a post can edit and delete it
         if (in_array($this->action, array('edit', 'delete'))) {
             $postId = $this->request->params['pass'][0];
-            return $this->Post->isOwnedBy($postId, $user['id']);
+            if ($this->Post->isOwnedBy($postId, $user['id'])) {
+                return true;
+            }
         }
-        
-        return false;
+
+        return parent::isAuthorized($user);
     }
 
 We're now overriding the AppController's ``isAuthorized()`` call and internally
@@ -388,4 +391,4 @@ Suggested Follow-up Reading
 
 .. meta::
     :title lang=en: Simple Authentication and Authorization Application
-    :keywords lang=en: auto increment,authorization application,model user,array,conventions,authentication,urls,cakephp,delete,doc,columns
+    :keywords lang=en: auto increment,authorization application,model user,array,conventions,authentication,urls,cakephp,delete,doc,columns