Authentication control component class
Binds access control with user authentication and session management.
string
'all'
$_authenticateObjects
protected $_authorizeObjects
protected $_methods
protected array
array
The current user, used for stateless authentication when sessions are not available.
$ajaxLogin
public string
The name of an optional view element to render when an Ajax request is made with an invalid or expired session
$allowedActions
public array
$authError
public string|boolean
Error to display when user attempts to access an object or action to which they do not have access.
$authenticate
public array
An array of authentication objects to use for authenticating users. You can configure multiple adapters and they will be checked sequentially when users are identified.
$authorize
public mixed
An array of authorization objects to use for authorizing users. You can configure multiple adapters and they will be checked sequentially when authorization checks are done.
$components
public array
$flash
public array
Settings to use when Auth needs to do a flash message with SessionComponent::setFlash(). Available keys are:
$loginAction
public mixed
A URL (defined as a string or array) to the controller action that handles logins. Defaults to /users/login
.
$loginRedirect
public mixed
Normally, if a user is redirected to the $loginAction page, the location they were redirected from will be stored in the session so that they can be redirected back after a successful login. If this session value is not set, redirectUrl() method will return the URL specified in $loginRedirect.
$logoutRedirect
public mixed
The default action to redirect to after the user is logged out. While AuthComponent does not handle post-logout redirection, a redirect URL will be returned from AuthComponent::logout(). Defaults to AuthComponent::$loginAction.
$request
public $response
public string
The session key name where the record of the current user is stored. Default key is "Auth.User". If you are using only stateless authenticators set this to false to ensure session is not started.
$unauthorizedRedirect
public mixed
Controls handling of unauthorized access. - For default value true
unauthorized user is redirected to the referrer URL or AuthComponent::$loginRedirect or '/'. - If set to a string or array the value is used as a URL to redirect to. - If set to false a ForbiddenException exception is thrown instead of redirecting.
Similar to AuthComponent::user() except if the session user cannot be found, connected authentication objects will have their getUser() methods called. This lets stateless authentication methods function correctly.
Handles unauthenticated access attempt. First the unathenticated()
method of the last authenticator in the chain will be called. The authenticator can handle sending response or redirection as appropriate and return true
to indicate no furthur action is necessary. If authenticator returns null this method redirects user to login action. If it's an ajax request and $ajaxLogin is specified that element is rendered else a 403 http status code is returned.
Takes a list of actions in the current controller for which authentication is not required, or no parameters to allow all actions.
Use the configured authentication adapters, and attempt to identify the user by credentials contained in $request.
Main execution method. Handles redirecting of invalid users, and processing of login form data.
_getUser( )
Similar to AuthComponent::user() except if the session user cannot be found, connected authentication objects will have their getUser() methods called. This lets stateless authentication methods function correctly.
_isAllowed( Controller $controller )
Checks whether current action is accessible without authentication.
Controller
$controller
_isLoginAction( Controller $controller )
Normalizes $loginAction and checks if current request URL is same as login action.
Controller
$controller
_setDefaults( )
Attempts to introspect the correct values for object properties.
_unauthenticated( Controller $controller )
Handles unauthenticated access attempt. First the unathenticated()
method of the last authenticator in the chain will be called. The authenticator can handle sending response or redirection as appropriate and return true
to indicate no furthur action is necessary. If authenticator returns null this method redirects user to login action. If it's an ajax request and $ajaxLogin is specified that element is rendered else a 403 http status code is returned.
Controller
$controller
_unauthorized( Controller $controller )
Handle unauthorized access attempt
Controller
$controller
ForbiddenException
allow( string|array|null $action null )
Takes a list of actions in the current controller for which authentication is not required, or no parameters to allow all actions.
You can use allow with either an array, or var args.
$this->Auth->allow(array('edit', 'add'));
or $this->Auth->allow('edit', 'add');
or $this->Auth->allow();
to allow all actions
$action
optional null constructAuthenticate( )
Loads the configured authentication objects.
CakeException
constructAuthorize( )
Loads the authorization objects configured.
CakeException
deny( string|array|null $action null )
Removes items from the list of allowed/no authentication required actions.
You can use deny with either an array, or var args.
$this->Auth->deny(array('edit', 'add'));
or $this->Auth->deny('edit', 'add');
or $this->Auth->deny();
to remove all items from the allowed list
$action
optional null flash( string $message )
Set a flash message. Uses the Session component, and values from AuthComponent::$flash.
$message
identify( CakeRequest $request , CakeResponse $response )
Use the configured authentication adapters, and attempt to identify the user by credentials contained in $request.
CakeRequest
$request
CakeResponse
$response
initialize( Controller $controller )
Initializes AuthComponent for use in the controller.
Controller
$controller
Component::initialize()
isAuthorized( array|null $user null , CakeRequest $request null )
Check if the provided user is authorized for the request.
Uses the configured Authorization adapters to check whether or not a user is authorized. Each adapter will be checked in sequence, if any of them return true, then the user will be authorized for the request.
$user
optional null CakeRequest
$request
optional null loggedIn( )
Check whether or not the current user has data in the session, and is considered logged in.
login( array|null $user null )
Log a user in.
If a $user is provided that data will be stored as the logged in user. If $user
is empty or not specified, the request will be used to identify a user. If the identification was successful, the user record is written to the session key specified in AuthComponent::$sessionKey. Logging in will also change the session id in order to help mitigate session replays.
$user
optional null logout( )
Log a user out.
Returns the logout action to redirect to. Triggers the logout() method of all the authenticate objects, so they can perform custom logout logic. AuthComponent will remove the session data, so there is no need to do that in an authentication object. Logging out will also renew the session id. This helps mitigate issues with session replays.
mapActions( array $map array() )
Maps action names to CRUD operations.
Used for controller-based authentication. Make sure to configure the authorize property before calling this method. As it delegates $map to all the attached authorize objects.
actionMap
config key on authorize objects instead$map
optional array() password( string $password )
Hash a password with the application's salt value (as defined with Configure::write('Security.salt');
This method is intended as a convenience wrapper for Security::hash(). If you want to use a hashing/encryption system not supported by that method, do not use this method.
$password
redirect( string|array|null $url null )
Backwards compatible alias for AuthComponent::redirectUrl().
$url
optional null redirectUrl( string|array|null $url null )
Get the URL a user should be redirected to upon login.
Pass a URL in to set the destination a user should be redirected to upon logging in.
If no parameter is passed, gets the authentication redirect URL. The URL returned is as per following rules:
$url
optional null startup( Controller $controller )
Main execution method. Handles redirecting of invalid users, and processing of login form data.
Controller
$controller
Component::startup()
user( string|null $key null )
Get the current user.
Will prefer the static user cache over sessions. The static user cache is primarily used for stateless authentication. For stateful authentication, cookies + sessions will be used.
$key
optional null __construct( ComponentCollection $collection , array $settings array() )
Constructor
ComponentCollection
$collection
$settings
optional array() CakeObject::__construct()
__get( string $name )
Magic method for lazy loading $components.
$name
beforeRedirect( Controller $controller , string|array $url , integer $status null , boolean $exit true )
Called before Controller::redirect(). Allows you to replace the URL that will be redirected to with a new URL. The return of this method can either be an array or a string.
If the return is an array and contains a 'url' key. You may also supply the following:
status
The status code for the redirectexit
Whether or not the redirect should exit.If your response is a string or an array that does not contain a 'url' key it will be used as the new URL to redirect to.
Controller
$controller
$url
$status
optional null $exit
optional true beforeRender( Controller $controller )
Called before the Controller::beforeRender(), and before the view class is loaded, and before Controller::render()
Controller
$controller
shutdown( Controller $controller )
Called after Controller::render() and before the output is printed to the browser.
Controller
$controller
_mergeVars( array $properties , string $class , boolean $normalize true )
Merges this objects $property with the property in $class' definition. This classes value for the property will be merged on top of $class'
This provides some of the DRY magic CakePHP provides. If you want to shut it off, redefine this method as an empty function.
$properties
$class
$normalize
optional true _set( array $properties array() )
Allows setting of multiple properties of the object in a single line of code. Will only set properties that are part of a class declaration.
$properties
optional array() _stop( integer|string $status 0 )
Stop execution of the current script. Wraps exit() making testing easier.
$status
optional 0 dispatchMethod( string $method , array $params array() )
Calls a method on this object with the given parameters. Provides an OO wrapper for call_user_func_array
$method
$params
optional array() log( string $msg , integer $type LOG_ERR , null|string|array $scope null )
Convenience method to write a message to CakeLog. See CakeLog::write() for more information on writing to logs.
$msg
$type
optional LOG_ERR $scope
optional null The scope(s) a log message is being created in. See CakeLog::config() for more information on logging scopes.
requestAction( string|array $url , array $extra array() )
Calls a controller's method from any location. Can be used to connect controllers together or tie plugins into a main application. requestAction can be used to return rendered views or fetch the return value from controller actions.
Under the hood this method uses Router::reverse() to convert the $url parameter into a string URL. You should use URL formats that are compatible with Router::reverse()
POST and GET data can be simulated in requestAction. Use $extra['url']
for GET data. The $extra['data']
parameter allows POST data simulation.
$url
String or array-based URL. Unlike other URL arrays in CakePHP, this URL will not automatically handle passed and named arguments in the $url parameter.
$extra
optional array() if array includes the key "return" it sets the AutoRender to true. Can also be used to submit GET/POST data, and named/passed arguments.
Boolean true or false on success/failure, or contents of rendered action if 'return' is set in $extra.
toString( )
CakeObject-to-string conversion. Each class can override this method as necessary.
protected BaseAuthenticate[]
Objects that will be used for authentication checks.
array()
protected BaseAuthorize[]
Objects that will be used for authorization checks.
array()
protected static array
The current user, used for stateless authentication when sessions are not available.
array()
public string
The name of an optional view element to render when an Ajax request is made with an invalid or expired session
null
public array
Controller actions for which user validation is not required.
array()
public string|boolean
Error to display when user attempts to access an object or action to which they do not have access.
null
public array
An array of authentication objects to use for authenticating users. You can configure multiple adapters and they will be checked sequentially when users are identified.
$this->Auth->authenticate = array( 'Form' => array( 'userModel' => 'Users.User' ) );
Using the class name without 'Authenticate' as the key, you can pass in an array of settings for each authentication object. Additionally you can define settings that should be set to all authentications objects using the 'all' key:
$this->Auth->authenticate = array( 'all' => array( 'userModel' => 'Users.User', 'scope' => array('User.active' => 1) ), 'Form', 'Basic' );
You can also use AuthComponent::ALL instead of the string 'all'.
array('Form')
public mixed
An array of authorization objects to use for authorizing users. You can configure multiple adapters and they will be checked sequentially when authorization checks are done.
$this->Auth->authorize = array( 'Crud' => array( 'actionPath' => 'controllers/' ) );
Using the class name without 'Authorize' as the key, you can pass in an array of settings for each authorization object. Additionally you can define settings that should be set to all authorization objects using the 'all' key:
$this->Auth->authorize = array( 'all' => array( 'actionPath' => 'controllers/' ), 'Crud', 'CustomAuth' );
You can also use AuthComponent::ALL instead of the string 'all'
false
public array
Other components utilized by AuthComponent
array('Session', 'Flash', 'RequestHandler')
public array
Settings to use when Auth needs to do a flash message with SessionComponent::setFlash(). Available keys are:
element
- The element to use, defaults to 'default'.key
- The key to use, defaults to 'auth'params
- The array of additional params to use, defaults to array()array( 'element' => 'default', 'key' => 'auth', 'params' => array() )
public mixed
A URL (defined as a string or array) to the controller action that handles logins. Defaults to /users/login
.
array( 'controller' => 'users', 'action' => 'login', 'plugin' => null )
public mixed
Normally, if a user is redirected to the $loginAction page, the location they were redirected from will be stored in the session so that they can be redirected back after a successful login. If this session value is not set, redirectUrl() method will return the URL specified in $loginRedirect.
null
public mixed
The default action to redirect to after the user is logged out. While AuthComponent does not handle post-logout redirection, a redirect URL will be returned from AuthComponent::logout(). Defaults to AuthComponent::$loginAction.
null
public static string
The session key name where the record of the current user is stored. Default key is "Auth.User". If you are using only stateless authenticators set this to false to ensure session is not started.
'Auth.User'
public mixed
Controls handling of unauthorized access. - For default value true
unauthorized user is redirected to the referrer URL or AuthComponent::$loginRedirect or '/'. - If set to a string or array the value is used as a URL to redirect to. - If set to false a ForbiddenException exception is thrown instead of redirecting.
true
© 2005–2016 The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/2.9/class-AuthComponent.html