cakephp-tinyauth

Improvements

Add any role to any command and action:

bin/cake tiny_auth_add {Controller} {Action} {roles, comma separated}

It will skip if the roles are already present for this controller and action.

Use with -d -v to just output the changes it would do to your ACL INI file.

Fixed

Fixed role reading/detection for role as backed enum.

The following would now work for a string field:

namespace App\Model\Enum;

use Cake\Database\Type\EnumLabelInterface;
use Cake\Utility\Inflector;

enum UserRole: string implements EnumLabelInterface {

    case MAINTAINER = 'maintainer';
    case ADMIN = 'admin';

    /**
     * @return string
     */
    public function label(): string {
        return Inflector::humanize(mb_strtolower($this->name));
    }

}

CakePHP 5 compatible release

Enjoy!

CakePHP 5 compatible pre-release

Please test, once confirmed we can release stable.

Improvements

• Removed deprecations
• PHP 7.4+

Improvements

• CakePHP 4.2+ and PHP 7.3+
• Remove deprecations
• Fix up edge cases around plugin config

Improvements

Prepared for PHP 8 testing.

Fixes

• Fixed identity to array conversion for helper.

Fixes

• Fixed identity to array conversion.
• Fixed component enable check in helper

Fixes

Fixed compatibility with plugins a bit more.

CakePHP 4 stable release

This release now contains two possible versions to be used

• Former AuthComponent approach (simple and fast to set up), minimal upgrade path from CakePHP 3.x
• New plugins Authentication/Authorization and middleware approach (powerful and customizable)

It manages access to controller actions the easy and DRY way using different strategies.
By default, it ships with simple INI files, but you can also add DB adapters or custom ones.

On top, it contains useful helpers around access checking in both controller and view level using components and helpers.

CakePHP 4 compatible pre-release.

Please help to finalize for stable release.

Improvements

Added TinyAuth RequestAuthorizationMiddleware to handle requests correctly that are already "public" through Authentication skipping, and thus should not throw an exception.

use Authorization\Middleware\AuthorizationMiddleware;
use TinyAuth\Middleware\RequestAuthorizationMiddleware;

$middlewareQueue->add(new AuthorizationMiddleware($this));
$middlewareQueue->add(new RequestAuthorizationMiddleware());

Improvements

After 5 years it is time for an upgrade: A shiny new major with shiny new features.

INI files

acl.ini is now auth_acl.ini, to be in sync with auth_allow.ini.
You can use Configure to keep old names if you want to (or need it for BC).

Cool new Quick setups

TinyAuth, to really live up to its name, offers a few new quick setups.

Allow non-prefixed actions to be public

If you have non-prefixed controllers that you want to make public and keep prefixed ones protected:

'allowNonPrefixed' => true,

Prefix based allow

If you want to allow certain prefixes on top, you can use:

'allowPrefixes' => [
    'my_prefix',
    'nested/prefix',
],

External data integration

With this version a new AllowAdapterInterface has been added to complete an API for other libraries to provide data:

• AllowAdapterInterface
• AclAdapterInterface for RBAC

Both able to be used to connect this plugin to other libraries for providing allow/ACL input.
It continues to default to the internal INI adapters.
If other adapters - e.g. reading from DB - are used, it will still cache those internally to provide the same general speed it does with internal adapters.

One DB integration is now available as TinyAuthBackend plugin.

Plugin support

Support for the new Authentication and Authorization plugins has been added.
A RequestPolicy is now provided to connect the TinyAuth ACL input to request based authorization using this new plugin.

If you plan on using the new plugins, you must not use Auth component anymore. They can't be mixed.

Cache busting

Cache can now be cleared from code side for each auth type.

Available roles

There is now a convenience class TinyAuth in Utility namespace to quickly retrieve currently available roles.

Upgrade Infos

With this release a few small BC breaks will have to be covered with configuration (if you didn't so before):

• file is now aclFile/allowFile
• filePath is now aclFilePath/allowFilePath
• allowUser is now allowLoggedIn (former key still works, but emits deprecation warning)
• adminPrefix is now protectedPrefix (former key still works, but emits deprecation warning)
• _authUser data is now only handed down to the view layer from AuthUser component, not Auth anymore.

Bugfixes

Fixed allowUser config together with nested prefixes to work as expected.

Bugfixes

Asserted that accidentally reading global Configure data is not possible.

Bugfixes

Fixed support for multiple slashes in prefix.

Improvements

Support named routes.

• $this->AuthUser->link('Change Password', ['_name' => 'admin:account:password'])
• $this->AuthUserHelper->hasAccess(['_name' => 'Tags::edit'])

Thanks for this @lorro and @saeideng

Improvements

• $this->Auth->deny() can now be used inside Controller::beforeFilter()
• Removed deprecations, CakePHP 3.7+ now

Improvements

hasAccess() so far only included ACL data. Those links and access checks are meant to be used for logged in users.
It now can include also "allow" authentication-skipping data (publicly accessible actions), if includeAuthentication is set to true.
But this only checks/uses the INI config, it can not work on controller authentication. So make sure
you transformed everything fully to the INI file here. Any custom ->allow() call in controllers
can not be taken into account.

For this to work some of the (wrongly shared) configs had to be changed (while trying to keep BC):

ACL config:

• cacheKey is now aclCacheKey
• file is now aclFile
• filePath is now aclFilePath

Authentication config:

• cacheKey is now allowCacheKey
• file is now allowFile
• filePath is now allowFilePath

If you didnt modify any, you are BC here for sure.
If you used online runtime config on the classes (instead of Configure), you will also be fine.
Only if you used Configure (which technically was a bit wrong since they might affect both types due to the same key) you might have to do a small migration here.