I’ve been working on an internal application for use at CDC that required me to have what I call “two-headed” authentication. By this I mean that there were two types of users in the system and while they could access some of the same controllers they could not always access the same actions. I know what you’re saying: why not have them both use the same model instead of making my life difficult? A few reasons, one of which was that one type of user was using their email address as the login while the other had a more traditional login name.

After struggling my way through the Auth component (the API changed while I was starting to use it), and understanding the actual flow that the Auth component uses, I nailed down how to do it. Using good CDC practices (as in “do it our way you stupid Kanuckistanian!”) I started off with putting my Auth stuff into the before filter:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

function beforeFilter() {
        parent::beforeFilter();
               
        $this->Auth->loginAction = 'plugin/users/login';
        $this->Auth->loginRedirect = 'plugin/users/index';
        $this->Auth->fields = array('username' => 'username', 'password' => 'psword');
        
        $this->set('current', $this->action);
        
        if($this->Auth->isAuthorized()) {
            
            $role = $this->Auth->user('role');
            
            if($role) {
                if ($role == 'admin' && strpost($this->action, CAKE_ADMIN) !== false) {
                    $this->Auth->allow($this->action);
                }        
                if ($role == 'admin') {
                    $this->set('adminNavigation', $this->adminNavigation);
                }
                
                $this->set('userNavigation', $this->userNavigation);
            } else {
                $this->set('clientNavigation', $this->clientNavigation);  
            }
            
            $this->set('userRole', $role);
        }
 }

Now, I had an action in a controller where a “client” can view everything but a “user” could only view a specific action. On top of that any “user” who also had an “admin” role could view any action in that controller. In that particular controller I had to put in this code:

1
2
3
4
5
6
7

function beforeFilter() {
        parent::beforeFilter();
        $this->Auth->userModel = 'Client';
        $this->Auth->loginAction = 'plugin/clients/login';
        $this->Auth->fields = array('username' => 'email', 'password' => 'psword');
        $this->Auth->authorize = 'controller';        
}

Now, I mentioned before that I had one action in the controller that could be viewed by the User and one action only. So, I added in the isAuthorized() method to my controller that I told Auth to look for:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

    function isAuthorized() {
        if ($this->Auth->user('role')) {
            if (strpos($this->action, CAKE_ADMIN) !== false && $this->Auth->user('role') == 'admin') {
                return true;
            }
            
            if ($this->action == 'view') {
                return true;
            }
            
            return false;
        }
        
        return true;
    }

Working with the Auth component taught me a lesson about frameworks in general: when you take the time to actually dig into the source code of a framework you will realize just how much work goes into some of the more “magic” functions. I mean, you tell CakePHP that you want to use the Auth component, set a few parameters and *BAM* it takes care of directing people to your login page and validating login names and passwords (even automatically encrypting passwords upon account creation!) against your specified model. Why wouldn’t you want to use something like that?