search

cakephp / authentication

Authentication plugin for CakePHP. Can also be used in PSR7 based applications.
MIT License
116 stars 100 forks source link

Suggestion : allowAllUnauthenticatedExcept Function #476

Closed yosus closed 2 years ago

yosus commented 3 years ago

Hi,

Proposing a reverse of allowUnauthenticatedfunction. Similar to the old cakephp having $this->Auth->allow() and $this->Auth->deny().

Scenario : I would like to allow all actions in my controller except a few actions.

Thanks

markstory commented 3 years ago

Interesting idea, I have a few questions about the behavior. How would this interact with methods like getUnauthenticatedActions()? For example:

$this->Authentication->allowAllUnauthenticatedExcept('delete');
$this->Authentication->getUnauthenticatedActions(); // What does this return?

What would happen if allowAllUnauthenticatedExcept() was called multiple times?

yosus commented 3 years ago

Assuming my controller has these actions :

  1. index
  2. view
  3. delete
  4. privateFunction1 (private function)

I would expect calling allowAllUnauthenticatedExcept() again would reset everything to the new value. Maybe an extra new function getAuthenticatedActions() to return array of all actions that currently needs authentication would be nice.

$this->Authentication->allowAllUnauthenticatedExcept(['delete']);

// Outputs :  [ 'index', 'view', ]
debug($this->Authentication->getUnauthenticatedActions());

// Calling function again
$this->Authentication->allowAllUnauthenticatedExcept(['view']);

// Outputs :  [ 'index', 'delete', ]
debug($this->Authentication->getUnauthenticatedActions());

// Getting all authenticated actions
$authActions = $this->Authentication->getAuthenticatedActions();
$authActions[] = 'delete';
$this->Authentication->allowAllUnauthenticatedExcept( $authActions );
// $authActions now contains [ 'view', 'delete' ]

// Outputs :  [ 'index' ]
debug($this->Authentication->getUnauthenticatedActions());

In cakephp 2, calling $this->Auth->allow(); would make all actions unauthenticated. Would $this->Authentication->allowAllUnauthenticatedExcept(); allow all actions to be unauthenticated ?

markstory commented 3 years ago

In cakephp 2, calling $this->Auth->allow(); would make all actions unauthenticated. Would $this->Authentication->allowAllUnauthenticatedExcept(); allow all actions to be unauthenticated ?

I'm not a fan of that behavior as it isn't explicit in what it is doing. I think if someone wants to turn off authentication entirely they should have to work a bit harder than that.

github-actions[bot] commented 2 years ago

This issue is stale because it has been open for 120 days with no activity. Remove the stale label or comment or this will be closed in 15 days