I'm using the https://github.com/FriendsOfCake/search/ plugin to filter data.
The Search.Search component will allow your filtering forms to be populated using the data in the query params. It uses the PRG pattern (Post, redirect, get). (https://github.com/FriendsOfCake/search/tree/master/docs)
It appears that this authorization plugin cannot handle this pattern as I get the following error:
The request to /orders/index did not apply any authorization checks.
I also described the issue at FriendsOfCake/search#265 however the response over there was that this is an issue with the authorization plugin.
my function in the controller:
public function index() {
$this->paginate = [
'contain' => [
'Companies',
'ShippingBarcodes' => ['sort' => ['ShippingBarcodes.id' => 'DESC']]
],
'order' => ['Orders.id' => 'DESC']
];
$orders = $this->Orders->find('search', ['search' => $this->request->getQueryParams()]);
$this->Authorization->authorize($orders);
$orders = $this->paginate($orders);
$companies = $this->Orders->Companies->find('list')->where(['Companies.published' => true])->order(['Companies.name' => 'ASC']);
$statuses = Order::status();
$this->set(compact('orders','companies','statuses'));
}
This is loading the page as expected. The problems occurs once I try to filter the results. The POST results in a status 500:
The request to/orders/index did not apply any authorization checks.
Adding a skipAuth is not solving the problem:
public function index() {
$this->Authorization->skipAuthorization();
$this->paginate = [
'contain' => [
'Companies',
'ShippingBarcodes' => ['sort' => ['ShippingBarcodes.id' => 'DESC']]
],
'order' => ['Orders.id' => 'DESC']
];
.........
}
As suggested in FriendsOfCake/search#258 I tried to catch the problem in beforeFilter();
public function beforeFilter(\Cake\Event\EventInterface $event)
{
parent::beforeFilter($event);
if ($this->request->getParam('action') == 'index' && $this->Authentication->getIdentity()->get('role') == 'admin') {
$this->Authorization->skipAuthorization();
}
}
This is "solving" the issue as a workaround.
However not as I expect it to work. As I assume that the $this->Authorization->skipAuthorization()
or $this->Authorization->authorize($orders)
in the index method should have applied the auth check even with the redirect?
I'm open to any suggestions.