Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Allow throwing UnauthorizedException instead of redirection upon unauth... #889

Closed
wants to merge 1 commit into from

4 participants

@ADmad
Collaborator

...orized access attempt.

Refs #591

@lorenzo
Owner

You are my hero

@lorenzo
Owner

honestly

@markstory markstory commented on the diff
.../Test/Case/Controller/Component/AuthComponentTest.php
((5 lines not shown))
+ * @expectedException UnauthorizedException
+ * @return void
+ */
+ public function testUnauthorizedException() {
+ $url = '/party/on';
+ $this->Auth->request = $CakeRequest = new CakeRequest($url);
+ $this->Auth->request->addParams(Router::parse($url));
+ $this->Auth->authorize = array('Controller');
+ $this->Auth->authorize = array('Controller');
+ $this->Auth->unauthorizedRedirect = false;
+ $this->Auth->login(array('username' => 'baker', 'password' => 'cake'));
+
+ $CakeResponse = new CakeResponse();
+ $Controller = $this->getMock(
+ 'Controller',
+ array('on', 'redirect'),
@markstory Owner

What's the 'on' method do?

@ADmad Collaborator
ADmad added a note

Nothing, bad copy paste :) Will fix it.

@ADmad Collaborator
ADmad added a note

Hmm, if remove the 'on' my test case fails. So I am not sure what it does. I copied this from the testDefaultToLoginRedirect() function. There too if i remove the 'on' the test case fails.

@ADmad Collaborator
ADmad added a note

Ceeram enlightened me that the "on" is the controller action as the test uses url "/party/on".

@markstory Owner

Oh I missed that, thanks for the clarification.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@markstory
Owner

Looks like a good change, great for more REST based applications. I wonder if handling what happens on unauthorized situations should be exposed as an event in a future release? We could include a sane default handler with a 999999 priority.

@ceeram
Collaborator

401 is not correct statucode for an authenticated user which doesnt have correct permissions:

From the RFC:
The request requires user authentication. The response MUST include a WWW-Authenticate header field.....

@ADmad
Collaborator

@lorenzo You are too kind :)

@markstory Yeah perhaps in future an event would be nice. Currently perhaps I should move the redirection or exception throwing code into a public method. So in case someone wants more flexibility they can extend Auth and override the method.
Edit: I meant protected method not public.

@ceeram You party pooper :P So a 403 Forbidden seems to be the only other reasonable alternative.

@ceeram
Collaborator
@ADmad
Collaborator

Merged in 1c0492e

@ADmad ADmad closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Oct 2, 2012
  1. @ADmad
This page is out of date. Refresh to see the latest.
View
24 lib/Cake/Controller/Component/AuthComponent.php
@@ -212,6 +212,15 @@ class AuthComponent extends Component {
public $authError = null;
/**
+ * Controls handling of unauthorized access. By default unauthorized user is
+ * redirected to the referrer url or AuthComponent::$loginAction or '/'.
+ * If set to false a ForbiddenException exception is thrown instead of redirecting.
+ *
+ * @var boolean
+ */
+ public $unauthorizedRedirect = true;
+
+/**
* Controller actions for which user validation is not required.
*
* @var array
@@ -322,6 +331,21 @@ public function startup(Controller $controller) {
return true;
}
+ return $this->_unauthorized($controller);
+ }
+
+/**
+ * Handle unauthorized access attempt
+ *
+ * @param Controller $controller A reference to the controller object
+ * @return boolean Returns false
+ * @throws ForbiddenException
+ */
+ protected function _unauthorized(Controller $controller) {
+ if (!$this->unauthorizedRedirect) {
+ throw new ForbiddenException($this->authError);
+ }
+
$this->flash($this->authError);
$default = '/';
if (!empty($this->loginRedirect)) {
View
24 lib/Cake/Test/Case/Controller/Component/AuthComponentTest.php
@@ -908,6 +908,30 @@ public function testDefaultToLoginRedirect() {
}
/**
+ * Throw ForbiddenException if AuthComponent::$unauthorizedRedirect set to false
+ * @expectedException ForbiddenException
+ * @return void
+ */
+ public function testForbiddenException() {
+ $url = '/party/on';
+ $this->Auth->request = $CakeRequest = new CakeRequest($url);
+ $this->Auth->request->addParams(Router::parse($url));
+ $this->Auth->authorize = array('Controller');
+ $this->Auth->authorize = array('Controller');
+ $this->Auth->unauthorizedRedirect = false;
+ $this->Auth->login(array('username' => 'baker', 'password' => 'cake'));
+
+ $CakeResponse = new CakeResponse();
+ $Controller = $this->getMock(
+ 'Controller',
+ array('on', 'redirect'),
@markstory Owner

What's the 'on' method do?

@ADmad Collaborator
ADmad added a note

Nothing, bad copy paste :) Will fix it.

@ADmad Collaborator
ADmad added a note

Hmm, if remove the 'on' my test case fails. So I am not sure what it does. I copied this from the testDefaultToLoginRedirect() function. There too if i remove the 'on' the test case fails.

@ADmad Collaborator
ADmad added a note

Ceeram enlightened me that the "on" is the controller action as the test uses url "/party/on".

@markstory Owner

Oh I missed that, thanks for the clarification.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+ array($CakeRequest, $CakeResponse)
+ );
+
+ $this->Auth->startup($Controller);
+ }
+
+/**
* Test that no redirects or authorization tests occur on the loginAction
*
* @return void
Something went wrong with that request. Please try again.