cakePHP isAuthorized not working

Question

I have a table which splits my users (user_levels) linked to the users table (user_level_id). Level 5 is administrator.

I want to limit certain actions from being viewed and understand I can do this with isAuthorized. I went according to book and I am pretty sure I have it right, but it is not working. It allows any logged in users to still access any of the actions although I deny it in isAuthorized.

Here is my code:

 App Controller:public $components = array(
    'Session',

    'Auth' => array(
        'loginAction' => array(
            'controller' => 'users',
            'action' => 'login',
        ),
        'authError' => "Your username and password is incorrect, please try again.",
        'authenticate' => array(
            'Form' => array(
                'scope' => array('User.user_status_id' => 1)
            )
        ),
        'redirect' => array("controller" => "users", "action" => "profile"),
        'loginRedirect' => array("controller" => "users", "action" => "profile")
    )
);

public function isAuthorized($user = null) {
    if($this->Auth->user("user_level_id") == 5) {
        return true;
    }
    // Default deny
    return false;
}

public function beforeFilter() {
    $this->Auth->allow("display");
   if($this->Auth->loggedIn() == true) {
       $this->set("user_name",$this->Auth->user("first_name")." ".$this->Auth->user("last_name"));
       $this->set("loggedIn",true);
       if($this->Auth->user("user_type_id") == 5) {
           $this->set("navigation","navigation_admin");
       } else {
           $this->set("navigation","navigation_loggedin");
       }
   } else {
       $this->set("loggedIn",false);
       $this->set("navigation","navigation_notloggedin");
   }

}

 }

 // Users Controller:

 public function beforeFilter() {
    $this->Auth->allow("login");
    parent::beforeFilter();
}

public function isAuthorized($user = null) {
    if($this->Auth->user("user_level_id") == 5) {

        return true;
    }
    // Default deny
    return parent::isAuthorized($user);
}

Answer 1

Looks like you're just missing the configuration to just tell the AuthComponent to use isAuthorized().

'Auth' => array(
        'loginAction' => array(
            'controller' => 'users',
            'action' => 'login',
        ),
        'authError' => "Your username and password is incorrect, please try again.",
        'authenticate' => array(
            'Form' => array(
                'scope' => array('User.user_status_id' => 1)
            )
        ),
        'authorize' => array('Controller'), // <- here
        'redirect' => array("controller" => "users", "action" => "profile"),
        'loginRedirect' => array("controller" => "users", "action" => "profile")
    )