Authorization and ACL in cakephp 3

Question

I search the document but I don't find anything about ACL implementation in cakephp 3. How can I implement authorization with ACL in cakephp 3?

Answer 1

ACL is not built into CakePHP 3 as it was in CakePHP 2. It is now available as a separate plugin.

Quote from http://book.cakephp.org/3.0/en/appendices/3-0-migration-guide.html

ACL related classes were moved to a separate plugin. Password hashers, Authentication and Authorization providers where moved to the \Cake\Auth namespace. You are required to move your providers and hashers to the App\Auth namespace as well.

You can find the plugin at https://github.com/cakephp/acl, but note that it's not yet stable.

Answer 2

Great question, as Daniel Castro said the plugin is at https://github.com/cakephp/acl.

The part that is missing is to override 'isAuthorized' in your 'AppController.php' with something like:

...
use Acl\Controller\Component\AclComponent;
use Cake\Controller\ComponentRegistry;
...



public function isAuthorized($user){
      $Collection = new ComponentRegistry();
      $acl= new AclComponent($Collection);
      $username=$user['username'];
      $controller=$this->request->controller;
      $action=$this->request->action;
      $check=$acl->check($user['username'],"$controller/$action");
      return $check;
    }

Someone wiser than I will know better if the user/action/controller bits could be better sanitized. There are lots of warnings about the stability of this plugin and 'gotchas' on acl in terms of performance.

I am cutting over from a 1.3 implementation, it was helpful to add in the AppController 'initialize' info from http://book.cakephp.org/3.0/en/controllers/components/authentication.html