CakeDC Blog


Debug & Run Gitlab Pipelines In Your L...

Some time ago, we established as our company workflow. Along with it we created automated tools to support a continuous integration environment, with automated deployments based on develop, qa, stage, master branches and some useful tools to run on specific branches. We used jenkins for a long time, then switched to gitlab around version 6 (more than 5 years ago!) and we've been using it since. Gitlab provides a very powerful way to configure your pipelines and define specific docker images to be used as your runners. So we defined our own runner image and configured it to provide the typical dependencies needed to run static analysis tools, unit tests and other utilities as part of our build process. For example, one typical build file for a simple CakePHP project could be: # image: jorgegonzalezcakedc/cakephp-runner:yarn   before_script:   # install ssh-agent   - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'     # run ssh-agent   - eval $(ssh-agent -s)     # add ssh key stored in SSH_PRIVATE_KEY variable to the agent store   - ssh-add <(echo "$SSH_CI_PRIVATE_KEY")   - echo "$SSH_CI_PRIVATE_KEY" > /root/.ssh/id_rsa   - chmod 600 /root/.ssh/id_rsa     # replace git oauth key for composer   - sed -i "s/__TOKEN__/$GIT_OAUTH_TOKEN/g" ~/.composer/auth.json   variables:   # Configure mysql service (   MYSQL_DATABASE: app_test   MYSQL_ROOT_PASSWORD: root   stages:   - test   - deploy   test:mysql:   services:   - mysql:5.7.22   script:   - echo $MYSQL_PORT_3306_TCP_ADDR   - composer install --verbose --prefer-dist --optimize-autoloader --no-progress --no-interaction   - ( [ -f vendor/bin/phpunit ] && echo "phpunit already installed";) || composer require phpunit/phpunit   - mysql -uroot -p$MYSQL_ROOT_PASSWORD -h $MYSQL_PORT_3306_TCP_ADDR -e 'CREATE DATABASE test_myapp_template;';   - DATABASE_TEST_TEMPLATE_URL="mysql://root:$MYSQL_ROOT_PASSWORD@$MYSQL_PORT_3306_TCP_ADDR/test_myapp_template" bin/cake db_test -i   - DATABASE_TEST_URL="mysql://root:$MYSQL_ROOT_PASSWORD@$MYSQL_PORT_3306_TCP_ADDR/app_test" DATABASE_TEST_TEMPLATE_URL="mysql://root:$MYSQL_ROOT_PASSWORD@$MYSQL_PORT_3306_TCP_ADDR/test_myapp_template" QUEUE_DEFAULT_URL='null:///?queue=default&timeout=1' vendor/bin/phpunit --verbose --colors=never   except:   - tags   deploy_develop:   stage: deploy   environment:     name: develop     url:   script:     - cd deploy && php deployer.phar deploy develop -vvv   only:     - develop   except:     - tags   In this case, on every push to the "develop" branch, we'll run unit tests of the project, then call the specific deploy script to push the project to our CI environment. This process is usually smooth and clean,  if it's not,  then you need to debug why the runner is failing at some step.   One possible answer to this situation would be to dockerize the project and ensure the local docker version matches 100% the runner being used, so you don't have surprises while running your pipelines.  This process is actually done in some projects to ensure we match specific versions and dependencies. But for legacy projects, it's useful to have something more or less generic that just works™ and does not require the effort to dockerize. In this case, and going back to the topic of the article, how can we debug the issues locally without waiting for the pipelines to run? (Note I'm using Ubuntu 16.04 as my dev environment, and possibly aiming to switch to 20.04 LTS soon…)

  • Install docker in your local machine see 
  • Ensure docker is up and running sudo service docker start
  • Install the gitlab apt repositories curl -L | sudo bash
  • Install the gitlab-runner package sudo apt update && sudo apt install -y gitlab-runner
  • Go to your local project, where the .gitlab-ci.yml file is located
  • Run your pipeline locally, note you can pass environment variables via --env and you can name the target you want to build, in this case test:mysql gitlab-runner exec docker test:mysql --env SSH_CI_PRIVATE_KEY="`cat ~/.ssh/id_rsa`" --env GIT_OAUTH_TOKEN="XXX"
  • If there's a problem with the pipeline, add a long sleep time in your .gitlab-ci.yml file to keep the pipeline up and running while you connect to it, for example after the like to run your unit tests, add a new line sleep 1337
  • Run your pipeline again, you'll notice it won't stop…
  • Open a new terminal and check the id of the docker instance using docker ps
  • You'll see a list of the active docker container IDs
  • Finally connect to the container using docker exec -it CONTAINER_ID bash
  • If bash is not available in the container, you'll need another way to connect to it (or another container)
  Once you get access to the container, you can manually execute commands, check permissions, run shells, and debug db and code contents to hunt down the bug you should have already in a unit test… This method saved me some time trying to understand a specific issue in a pipeline, I hope it'll save some of your time too!  

CakePHP 4 - First Look

Last december, the CakePHP team announced the immediate availability of 4.0.0. This release begins a new chapter for CakePHP, as 4.0 is now API stable. With this release, Cake 3.x moves into maintenance mode, while 2.x moves into security release mode. The promise of the version is: cleaner, faster and still tasty as usual. I had the opportunity to bake a new application from scratch and I will give my feedback about my process.  

Skeleton Design

The new version refreshes the skeleton design of the application. Now we have 2 new folders on root:
  • Templates

The templates folder has presentational files placed here: elements, error pages, layouts, and view template files. Pay attention for subfolders: 
  • Core templates are lowercase: cell, element, email, layout
  • App templates still uppercase: Error, Pages
  • Resources

The resources folder has subfolders for various types of resource files.  The locales* sub folder stores string files for internationalization.   If you are familiar with i18n, you will see the difference:
  • src/Locale/pt_BR/default.po (3.x)
  • resources/locales/pt_BR/default.po (4.x)
  Another important change was the .ctp files. They are moved for .php. CakePHP template files have a default extension of .php now. We have a new config/app_local.php file, which contains the configuration data that varies between environments and should be managed by configuration management, or your deployment tooling.  

PHP Strict Type Mode

In PHP the declare (strict_types = 1); directive enables strict mode. In strict mode, only a variable of exact type of the “type declaration” will be accepted, or a TypeError will be thrown. The only exception to this rule is that an integer may be given to a function expecting a float. This is a feature from PHP 7 - which we strongly recommended. All codebase from the skeleton and files generated by bake will include the function.  


The preferred way of getting new entities is using the newEmptyEntity() method: $product = $this->Products->newEmptyEntity();  


After 10 years baking, that's a really big change for me. I don't usually use plugins for authentication, I really like the Auth Component. I think many bakers would agree, as I remember on the first international meetup, the co-host shared the same opinion.   The Auth Component is deprecated, so it's better move on and save the good memories. The new way for implementing Authentication is more verbose. It requires a few steps, I won't go into detail about that,  because you can easily check on book:
  • Install Authentication Plugin
  • Load the Plugin
  • Apply the Middleware
  • Load the Component
  My first look is like I said,  too verbose, for me anyway. We need to write a lot of code. Also it is not included on the skeleton of CakePHP applications, you need include by your own.  

HTTPS Enforcer Middleware

Contrary to the Authentication, I was really surprised how easy it was to force my Application to use HTTPS. If you are familiar with CakePHP, you will use the Security Component for that: class AppController extends Controller {      public function initialize()    {        parent::initialize();        $this->loadComponent('Security', [            'blackHoleCallback' => 'forceSSL',        ]);    }      public function beforeFilter(Event $event)    {        if (!Configure::read('debug')) {            $this->Security->requireSecure();        }    }      public function forceSSL()    {        return $this->redirect(            'https://' .            env('SERVER_NAME') .            Router::url($this->request->getRequestTarget())        );    }   }
  The implementation on version 4 is less verbose and easy, kudos for the new version:    public function middleware(MiddlewareQueue $middlewareQueue)    {        $middlewareQueue            ->add(new HttpsEnforcerMiddleware([                'redirect' => true,                'statusCode' => 302,                'disableOnDebug' => true,            ]));          return $middlewareQueue;    }   What I know is a drop, what I don’t know is an ocean. The new version is here to stay, and this article it's a just one overview of basic usage of the new version. * Version 4.1.0 is released already with more improvements and features.  


[1] Book [2] Migration Guide  

CakeDC API plugin - Authentication and...

This article covers new changes for CakePHP 4 version of plugin. So it covers versions starting from 8.x (8.0) and later.  

Permissions system. RBAC

By default, the plugin uses CakeDC Users and CakeDC Auth plugins for authentication. For RBAC it uses the same style as defined in the Auth plugin RBAC system with minor changes required for the API plugin. First, let's consider the case when we want public api without any authorization. In this case the most simple way would be is to define in config/api_permissions.php next rule   return [     'CakeDC/Auth.api_permissions' => [         [             'role' => '*',             'service' => '*',             'action' => '*',             'method' => '*',             'bypassAuth' => true,         ],      ], ];   Now, consider the case we want to use users plugin authentication. Since Api is supposed to be used from another domain, we should allow all requests with OPTIONS type. To do this we should add this rule as first on in config/api_permissions.php       [         'role' => '*',         'service' => '*',         'action' => '*',         'method' => 'OPTIONS',         'bypassAuth' => true,     ],    Here, method define OPTIONS and bypassAuth means that such actions should work for any users, including not authenticated. Now we should allow Auth service methods       [         'role' => '*',         'service' => '*',         'action' => ['login', 'jwt_login', 'register', 'jwt_refresh',],         'method' => ['POST'],         'bypassAuth' => true,     ],    All other services/actions should be declared in api_permissions file to define what user roles are allowed to access them. Imagine we want to allow the admin role to access the add/edit/delete posts and make index and view public. We can do it based on method or based on action names.       [         'role' => 'admin',         'service' => 'posts',         'action' => '*',         'method' => ['POST', 'PUT', 'DELETE'],     ],      [         'role' => 'admin',         'service' => 'posts',         'action' => ['index', 'view'],         'method' => '*',         'bypassAuth' => true,     ],   

 Routers and Middlewares

Starting from the 8.x version, API Plugin uses router middlewares. This gives great abilities to configure the plugin. So now it is possible to have separate authentication and authorization configuration for website and for api. Also, It is possible to have more then one api prefix, and as result provide more then single api for website with different configuration. Let’s take a look on the default configuration for middlewares   'Middleware' => [     'authentication' => [         'class' => AuthenticationMiddleware::class,         'request' => ApiInitializer::class,         'method' => 'getAuthenticationService',     ],     'bodyParser' => [         'class' => BodyParserMiddleware::class,     ],     'apiParser' => [         'class' => ParseApiRequestMiddleware::class,     ],     'apiAuthorize' => [         'class' => AuthorizationMiddleware::class,         'request' => ApiInitializer::class,         'params' => [             'unauthorizedHandler' => 'CakeDC/Api.ApiException',         ],     ],     'apiAuthorizeRequest' => [         'class' => RequestAuthorizationMiddleware::class,     ],     'apiProcessor' => [         'class' => ProcessApiRequestMiddleware::class,     ], ],   First we see the order of middlewares that proceed api request. It passes through AuthenticationMiddleware, AuthorizationMiddleware, and RequestAuthorizationMiddleware to perform generic auth tasks. It passes through BodyParserMiddleware to unpack the json request. And finally ParseApiRequestMiddleware does initial service analysis and ProcessApiRequestMiddleware performs the request. Also we can note CakeDC\Api\ApiInitializer class used to define Authentication and Authorization configuration. It can be redefined in the application layer to provide needed Identifiers and  Authenticators.  

 Jwt authentication - Refreshing tokens

New plugin feature is embedded jwt_login action which allows the user to get access_token and refresh_token included into the login response. Tokens should be passed in the Authorization header with bearer prefix. Access token is supposed to be used as default token and refresh token needed to get a new access token when it's expired. So for refreshing provided additional jwt_refresh action which should be used in this case.  


Configuration should be defined on application level in config/api.php. Need to note that it is important to enable this file to load by the Api plugin. It could be done in config/bootstrap_app.php using global configuration: Configure::write('Api.config', ['api']);       'Api' => [          ...                  'Jwt' => [             'enabled' => true,             'AccessToken' => [                 'lifetime' => 600,                 'secret' => 'accesssecret',             ],             'RefreshToken' => [                 'lifetime' => 2 * WEEK,                 'secret' => 'refreshsecret',             ],         ],    Hopefully, this was helpful. Our team is always working on adding new features and plugins. You can check out more available plugins HERE.

CakePHP Meetup: Unit Test Fixtures, Qu...

Developers are used to living in a virtual world, so adjusting has been easier than expected. Recently, we’ve been holding virtual meetups, and we are so happy with the feedback. Digital training sessions allow bakers from all over the world to come together and enjoy. Our plan is to host one each month, and coordinate time zones so that everyone gets a chance to attend. Our latest one was based around a good time for our Japanese community.  If you missed the meetup, no problem. We always post the recording for playback, and I’ll even give you a quick rundown of the topics covered. Let’s jump in:

CakePHP Fixture Factory Plugin

by Juan Pablo Ramirez CakePHP Fixture Factory Plugin  helps to improve the way fixtures are generated, when having a big database writing fixtures can get so complicated. This plugin provides Fixture Factories in replacement of the fixtures found out of the box in CakePHP.
Generating fixtures can be done in a few code lines reducing the effort of writing and maintaining tests. There are some other plugins to manage fixtures: 

CakePHP Queue Plugin

By Mark Scherer @dereuromark CakePHP Queue Plugin is a simple Queue solution, it can be used for small applications and it’s a good one to get started with Job Queues, having something easy to maintain at the beginning is a good starting point.
Queues are a good option for functionalities like: image processing, email sending, PDF generation; to improve the response-time for heavy-processing tasks. For more robust solutions can be used:
  • CakePHP Queuesadilla This plugin is a simple wrapper around the Queuesadilla queuing library, providing tighter integration with the CakePHP framework. We have used this plugin in CakeDC in several projects, we also had to build  a Mongo Engine for a specific client.

CakePHP PHP PM Bridge

By Jorge Gonzalez @steinkel CakePHP Bridge  to use with PHP-PM project.
PPM is a process manager, supercharger and load balancer for modern PHP applications. PHP PM It's based on ReactPHP, the approach of this is to kill the expensive bootstrap of PHP (declaring symbols, loading/parsing files) and the bootstrap of feature-rich frameworks.
It’s a good option If you want to significantly improve the responsiveness of an application that could have spikes. PM works as PHP FPM, it’s a replacement for it.  Below some benchmark:  50 Concurrent threads in 10 seconds
  • FPM 83 transactions per second, Failed 0,  Concurrency 6.58.
  • PPM 90.30 transactions per second, Failed 0, Concurrency 3.86.
200 Concurrent threads in 10 seconds
  • FPM 116,49 transactions per second, Failed 142,  Concurrency 116.64.
  • PPM 207.35 transactions per second, Failed 0, Concurrency 85.59.
1000 Concurrent threads in 10 seconds
  • FPM 109,88 transactions per second, Failed 1759, Concurrency 187.49.
  • PPM 214.91 transactions per second, Failed 0,  Concurrency 302.39.
PPM is able to handle a lot of concurrency connections coming in spike to the server  in a better way than PHP FPM.
For watching the Meetup visit the following link Stay up to date on all virtual meetups here      

Working From Home - A Developer's View

Long before COVID-19, I (and my team) started working from home. Even before working at CakeDC, between 2007 and 2010, I worked for a company where you were able to split your time between home and office.    Maybe that's why I actually feel comfortable working remotely and I would never change it for an in office position anymore.     Anyway, I am not going to talk about remote work because these days there are thousands of articles about it (even in  one of our previous posts). I want to focus today on writing about our experience with different communication tools and the pros and cons for each of them.   Back in 2011 when I started working at CakeDC, we had an IRC server in place with a couple of plugins to retain messages for our day-to-day communication. Everyone used different clients like Colloquy on mac or Pidgin on Linux. Additionally, we used Skype for peer/team calls and also for client communication. In my opinion, the linux experience was awful until they improved the client a few years later. This setup was implemented in 2007 when the company was started, and in 2012, we decided to shut it down because it was easier just using Skype for everything, messages and calls.     After several years using - suffering - Skype, with new options in the market, we decided to move away to a more reliable and modern approach. The main reason was the lack of updates for Skype linux client, and the message retention limits. In 2016 we started utilizing the more than popular Slack and its open source alternative, Rocket Chat; always keeping Skype for client communication.    Some months later the team concluded that Rocket Chat was the right choice, mainly because we wanted to have control over the messages and the information transmitted. Since the features we were using were available in both solutions, we installed our own Rocket Chat server. At this point I have to say that we did try the calls solution (Jitsy) inside Rocket Chat, but the experience was not good at all, issues with missing calls, poor call quality, etc, made us keep Skype for calls.   On the other hand CakePHP training was provided using and even when it worked very well in most situations; our trainer Jorge, always had to use a Windows machine instead of his usual Linux one. And then, Zoom emerged.     The year was 2018, when Zoom became so popular even though it started back in 2011 (yes, Zoom existed before COVID-19 crisis). We started using it and it quickly replaced Skype for our team calls. It allowed multiple people calls, screen share, etc. I must say, however, the Zoom chat is one of the worst things I have ever seen.   Going back to Jorge, as you can imagine he was very happy when he saw Zoom had a good Linux client. Unfortunately, he was quickly disappointed because the client screen crashed randomly, went black, and the computer ran out of memory when he tried to share his screen to more than 10 attendees. Happily he didn't throw his windows machine out of the window yet so he could continue giving the training with that machine.   It's 2020, COVID-19 is around us, and Zoom is probably the most popular telecommuting tool. For both adults and children, it is an essential tool to keep working and studying. However, fame never comes alone and threats, rumors and comments are making us move away (again) from Zoom to Google Meet. Also, it didn't make sense to pay for Zoom if we were already paying for GSuite.    I didn't mention it before, but we have been using GSuite (former Google Apps) since the beginning. Google - late as usual - detected a market niche and decided to pump out its meeting tool. In my opinion, I am a standalone app person. This means that I will always prefer having 20 apps instead of 20 browser tabs. So, I don't like Google Meet a lot because of this, but I must say the call quality is superb.    I am not sure how or when we will move to other tools, but right now we are very happy with our Rocket Chat installation and we are still getting used to Google Meet, but it fits our needs.    As a side note we are still using skype to communicate with clients because it is the app everyone has, and sometimes people simply don't want to install something else or use something they are not used to.     To conclude I must say that each team and person should try all of these different tools before choosing one, because one tool that may fits my needs may not fit yours.     


Rocket Chat - Google Meet - Zoom - Skype - Colloquy - Pidgin -

CakePHP Virtual Meetup

Unless you’ve been on Mars for the past few months, you know that things have changed. We can no longer prance worry-free into a department store, or go grab drinks with friends. Everything is now masks, grocery delivery, and video chats. While this was a hard transition at first, we have surprisingly become well-adjusted.  

Virutal Meetups

Our past 2 CakePHP meetups have been in the form of virtual meetups, and it has been a huge success. Normally, meetups are restricted to a certain city, state or even continent in the world, but not anymore! We are over here like, “why haven’t we done this before?”. The idea that CakePHP lovers from all over the globe came come together, live, at the same moment and bake together… it’s amazing.    The first virtual meetup, was suggested and hosted by Mark Scherer (Dereuromark on Twitter). He came to the CakeDC team and asked about joining forces and using one platform to bring everyone together. While picking a meetup time is difficult, given the differences in zones, we tried to find a happy place in the middle of them all. The community team will let this vary from time to time for those, say in Japan, who still found it difficult to tune in. Luckily, even if the time isn’t ideal for you, we ALWAYS record and post the session for playback.    If you’ve missed these (you can still catch the playback!), and want to know more, it's a simple setup: the organizer can give access to any speakers (panelists), they present their talks/trainings and everyone gets to tune in from the comfort of their couch. No worries about background noise, as only speaker's mics are enabled. There is a Q&A feature that allows attendees to ask/post their questions in real time.  For the first meetup, the main topic was a CakePHP 4.1 preview, and we can spend all day on all of the new stuff in CakePHP 4. Also covered was: IdeHelper, Auth with Authentication plugin and fixture factories. We didn’t really know what to expect, or what would go wrong, but things went great! We had a lot of good feedback, which of course inspired everyone to do it again! We got Jorge on board (steinkelz on Twitter) and even tried out a new platform, RingCentral (shout out, thanks guys!). This meetup explored Baking a new plugin and TDD for it’, Authorization Plugin, Pro-Debug with Xdebug + stepping through in IDE, and Mark Story checked in to talk about common-table-expressions  

Missed the meetups?

PLAYBACK OPTIONS: April Meetup: LISTEN HERE  May Meetup: LISTEN HERE    My favorite part about these virtual meetups is that bakers from all over can get involved, and we get to hear from some people that without the digital world, wouldn’t be possible. The CakePHP community team is always looking for speakers for the next meetup, so if you’re reading this thinking, “i’d really like to talk about ___!”, then we want to hear from you! You can also submit for a lightning talk - the email is We are just so thankful that we get to bring so many Cake lovers together with one common goal in mind, to bake and learn new recipes.   

There will be more!

So, how will you find out about future meetups? Easy! Follow CakePHP (or CakeDC) on social media: Twitter / Facebook. You can also sign up for the CakePHP Newsletter (and stay informed about other fresh news, too!). Training sessions can be found at    Have an idea for the next topic? What do YOU want the speakers to talk about? Let us know. Our next session is scheduled for June 18. See details HERE.

PHP Quality Assurance Tools with CakePHP

In Software Development, we are always looking for resources to improve the products we deliver. In this article we show some awesome php qa tools to help us improve our CakePHP software quality and development process. Let's dive in. Note: The snippets provided in this article can be found at

Coding Standards

Choosing a coding standard for your project will help the developers team speak the same language by defining a set of rules on how to name variables, methods, class and etc. The coding standard usage can make the integration of community libs and plugins easier. Checking and fixing coding standards are easily done with the awesome tool PHP_CodeSniffer, this tool has two main scripts:
  • phpcs check for coding standard violations
  • phpcbf autofix coding standard violations, keep in mind that not all errors will be autofixed, but will help you a lot.
CakePHP offers a customized coding standards at and you should be using it.
  Let’s install the tool and the coding standard: composer require --dev cakephp/cakephp-codesniffer:~4.1.0
Create the file phpcs.xml <?xml version="1.0"?> <ruleset name="App">    <config name="installed_paths" value="../../cakephp/cakephp-codesniffer"/>    <rule ref="CakePHP"/> </ruleset>
Update “scripts” block in composer.json  with: "scripts": {         "cs-check": "phpcs -p ./src ./tests",         "cs-fix": "phpcbf -p ./src ./tests",
  Now we can run composer cs-check and composer cs-fix. In a sample app I got this output saying some errors can be autofixed with composer cs-fix

Static Analysis

How many times have you deployed a project on a production server and found a silly error like calling an undefined method? I hope not often. To avoid this type of issue, a static analysis tool is useful. I recommend you to use PHPStan and PSalm, these tools will help you find errors without having to run the application.


PHPStan will rely on phpdoc, so that’s one more reason to use a coding standard tool like PHP_CodeSniffer. Also I recommend that you use the plugin: cakephp-ide-helper, to update annotations (phpdoc) in your app classes. In some cases we need to help PHPStan understand our code better, and for this reason we created a custom extension: Let’s install PHPStan using composer: composer require --dev phpstan/phpstan phpstan/extension-installer cakedc/cakephp-phpstan:^1.0
  We also need to create two config files Includes:     - vendor/cakedc/cakephp-phpstan/extension.neon     - phpstan-baseline.neon parameters:     level: 6     checkMissingIterableValueType: false     checkGenericClassInNonGenericObjectType: false     autoload_files:         - tests/bootstrap.php     ignoreErrors: services: parameters:     ignoreErrors:
  And add two scripts into “scripts” block from composer.json "stan": "phpstan analyse src/",         "stan-rebuild-baseline": "phpstan analyse --configuration phpstan.neon --error-format baselineNeon src/ > phpstan-baseline.neon",
Now we can run composer stan and  composer stan-rebuild-baseline the second one will populate phpstan-baseline.neon to ignore all errors returned in composer stan so only use when all the errors shown should be ignored.  


Psalm is another awesome static analysis tool, it provides a way to check for errors in your code, and can fix some of them, too. In my experience psalm and phpstan work perfect, so you don’t need to pick one or the other, you can use both. Let’s install psalm: composer require --dev  "psalm/phar:~3.11.2"
We also need to create two config files <?xml version="1.0"?> <psalm     allowCoercionFromStringToClassConst="true"     allowStringToStandInForClass="true"     xmlns:xsi=""     xmlns=""     xsi:schemaLocation=" vendor/vimeo/psalm/config.xsd"     errorBaseline="psalm-baseline.xml" >
   <projectFiles>         <directory name="src" />     </projectFiles>     <issueHandlers>         <LessSpecificReturnType errorLevel="info" />         <RedundantConditionGivenDocblockType errorLevel="info" />         <TypeCoercion errorLevel="info" />         <DocblockTypeContradiction errorLevel="info" />     </issueHandlers> </psalm>
  <?xml version="1.0" encoding="UTF-8"?> <files psalm-version="3.11.2@d470903722cfcbc1cd04744c5491d3e6d13ec3d9"> </files>
  And add two scripts into “scripts” block from composer.json "psalm": "psalm.phar --show-info=false src/ ",         "psalm-rebuild-baseline": "psalm.phar --show-info=false  --set-baseline=psalm-baseline.xml  src/"

Now we can run composer psalm and  composer psalm-rebuild-baseline the second one will populate psalm-baseline.xml to ignore all errors returned in composer stan, so only use this when all the errors shown should be ignored. When we run composer psalm it may inform you that some errors can be autofixed and which arguments you should use to fix. Normally it will be something like vendor/bin/psalm.phar --alter --issues=MissingReturnType,MissingClosureReturnType --dry-run
Psalm will only change the file If you remove the --dry-run part.  


Testing is extremely important for any application development. There are many types of software for testing, in this article we are focusing on unit tests. Unit tests help us check if one specific piece of code is working as expected, you can think like ‘Is method ‘A’ returning the correct value when argument has value ‘Z’?’. In CakePHP we have built-in support to PHPUnit, CakePHP integration offers additional features to make it easier to run units tests like custom asserts and methods for integration tests, and fixtures logic for models. We can bake unit tests using the bake plugin. To improve your unit tests try the cakedc/cakephp-db-test with this one you can use database fixtures instead of files. Learn more at: PHPUnit probably already is installed in your app but if not I recommend you to compare your project files with: For more information check out:   Hope you enjoyed this article and will start using these awesome tools to make your projects better than ever. Good Baking.  

Working with CakePHP Authorization

As you may know, there are 2 new plugins "recently" (not so recently) added to deal with the concepts of Authentication and Authorization in your CakePHP applications. Over the years, both Authentication and Authorization were managed in the Controller layer, via AuthComponent.  These 2 things usually grow in complexity as your project grows too, making the AuthComponent a complex class dealing with many features at the same time.
One of the original ideas behind these new plugins was to refactor AuthComponent and create specific layers to handle:

  • Authentication: who are you?
  • Authorization: are you allowed?
We are going to explore the Authorization concepts in this article using a specific example: Let's imagine we have some kind of game application where Users are going to manage Tournaments. The Users will be able to create new Tournaments, and join the Tournaments through a TournamentMemberships many to many association. Other users won't have access to the Tournaments unless they are invited to play. Players of a Tournament can invite other Users to play. So, a quick list of the use cases we are going to cover below are:
  • /tournaments/add  any user can create a new Tournament
  • /tournaments/index  browse all joined tournaments
  • /tournaments/invite  only current Members can invite others, and only if the Tournament has not started yet
We are assuming Authorization step is done in our application and we have a logged in user available in our request. At this point we'll also assume you've installed cakephp/authentication and cakephp/authorization and loaded both plugins. Authorization does not impose restrictions  on when the authorization checks will be done, let's quickly examine the workflow and related classes for Authorization:
  • AuthorizationMiddleware is attached to your Application, and will ensure the Authorization will be checked somewhere while processing the request.
     The unauthorizedHandler config will allow you to define what to do if the request was not authorized for some reason.
  • At some point in your code, you'll need to call AuthorizationComponent, either to
    • skipAuthorization when you don't require any specific condition to authorize the operation. Example: // ... somewhere in your beforeFilter...     if ($user->is_superadmin) {         $this->Authentication->skipAuthorization();     } // ...
    • authorize($resource, $action) when you need to check if a given user is allowed to do some action on a given resource. Note the resource must be an Object.

How Authorization checks are done?

  1. We start by checking the resource, it's an Object so we use a Resolver to map every resource with a given Policy. There are some common defaults, for example to map ORM classes.
  2. Once we get to a Policy class, we check the matching method, for example if the action is "invite" we would check the method canInvite(IdentityInterface $user, Tournament $tournament)
Configuration: After the Authentication middleware, in your src/Application.php class, add the Authorization Middleware            $authorizationService = new AuthorizationService(new OrmResolver());             ...             ->add(new AuthorizationMiddleware($authorizationService, [                 'unauthorizedHandler' => [                     'className' => 'Authorization.Redirect',                     'url' => '/users/login',                     'queryParam' => 'redirectUrl',                 ],             ]));   Note the $authorizationService is configured with one resolver to match the CakePHP typical ORM classes, like Entities or Queries.   Once the middleware is added, you'll need to ensure the Authorization is checked, or you'll get an  error?: "The request to / did not apply any authorization checks" . The first step would be to skip authorization for all the controllers and actions, for example in beforeFilter callback that all Users are allowed to access. About the previous Tournaments specific cases, we'll need to create a new Policy class including all the possible actions to be done, for example:
  • /tournaments/add
We need to create a new Policy for the Tournament Entity file src/Policy/TournamentPolicy.php to define policies related to specific tournaments class TournamentPolicy {     public function canAdd(IdentityInterface $user, Tournament $tournament)     {         // all users can create tournaments         return true;     } } file src/Controller/TournamentsController.php // ...     public function add()     {         $tournament = $this->Tournaments->newEmptyEntity();         $this->Authorization->authorize($tournament);         if ($this->request->is('post')) { // ... The call to $this->Authorization->authorize($tournament); will map the Tournament entity to the TournamentPolicy, by default the action is taken from the controller action, in this case "add" so we will need to define a canAdd() method. We allowed all Users to create Tournaments.  
  • /tournaments/index
We'll need to create a new policy for the TournamentsTable, and additionally a scope method to filter the Tournaments based on the current User membership. file src/Policy/TournamentsTablePolicy.php to define policies for the TournamentsTable class TournamentsTablePolicy {     public function canIndex(IdentityInterface $user, Query $query)     {         // all users can browse tournaments         return true;     }     public function scopeIndex(IdentityInterface $user, Query $query)     {         // scope to filter tournaments for a logged in user         return $query->matching('TournamentMemberships', function (Query $q) use ($user) {             return $q->where(['TournamentMemberships.user_id' => $user->get('id')]);         });     } } file src/Controller/TournamentsController.php     public function index()     {         $query = $this->Tournaments->find();         $this->Authorization->authorize($query);         $tournaments = $this->paginate($this->Authorization->applyScope($query));           $this->set(compact('tournaments'));     }
  • /tournaments/invite
file src/Policy/TournamentPolicy.php to define policies related to specific tournaments // ...     public function canInvite(IdentityInterface $user, Tournament $tournament)     {         return TableRegistry::getTableLocator()->get('TournamentMemberships')             ->exists([                 'user_id' => $user->get('id'),                 'tournament_id' => $tournament->get('id'),             ]);     } // ... file src/Controller/TournamentsController.php // ...     public function invite($tournamentId, $userId)     {         $tournament = $this->Tournaments->get($tournamentId);         $this->Authorization->authorize($tournament); // ...   In this case, we need to check if the logged in User is already a member of the TournamentMemberships group, if so, we are allowed to invite another user. As you can see, Authorization plugin will provide a flexible way to manage your application permissions.   In the previous examples we've covered typical application use cases to handle permissions per resource and action. New classes and interfaces, like policies, resolvers and mappers will allow you to configure the Authorization and ensure all the resources in your application will provide the required permissions. If you're looking for RBAC based on your controller actions, take a look at For additional tools and plugins, check  

Benefits of S.E.O

As a marketer that works with web developers daily, I know that content may not be top priority on their long list of to-do’s. However, for the success of a company, it is essential. If your team doesn’t have a designated marketing person or team, and you’re not a seasoned content creator, I have 3 letters for you to learn: S.E.O.   So what is SEO? It stands for search engine optimization. Basically this represents guidelines for gaining traffic to your website (or one you’ve been hired to create), and doing it organically. What is organic traffic? This is the results people see without being targeted, no paid ads, no cold calling - just desired results because your company offers something that they are interested in.    Today’s market is extremely competitive, so it is important to take every step in making sure that your webpage stands out and is easy to find. Think about how you find information daily… how to make fried chicken? Where to get your car fixed? Or even when a new movie is being released? You search for it, online, right? 9 times out of 10, you’re probably going to run a search for it on a site like Google, right? Then, most likely, you’re going to click on one of the first couple results that pop up on your screen, because they include keywords relevant to the search that you performed. This is an example of SEO. You search for a term that is relevant or appears on a company’s website, and Google recognizes that term/phrase and yields the webpage to you as a result. Thus, increasing traffic for the website, and a lot of times, without any cost to them.    Utilizing this idea, or service, is essential for any marketing department. Actually, according to a recent survey done by HubSpot, about 64% of marketers actively invest time in search engine optimization. So if you're not, you're falling behind.     Now that you have a basic understanding of what SEO is, we can talk about some of the benefits.   

1. Better PR

  The better your SEO is, the more people that will see your company name pop up on their search engine results. While most companies, like CakeDC, offer specific services (and input specific keywords into ads), we have very detailed SEO streaming from our website so that we do not miss a potential client. It is the goal to be in the top 3 results of a search engine like Google.   Even if someone is searching for something your company doesn’t offer, they may see you, remember you, and use you in the future. win-win. Start building your reputation! For example if you wanted to search for CakePHP web development, you may see:    

2. Increased Traffic 

  This is a no brainer. The more keywords that trigger your webpage at the top of consumer results, the more people that will click. This generates better quality leads, in my opinion. Things like cold calling, or cold emailing, while still effective, have become outdated. Inbound marketing compared to these avenues has produced better return, without becoming annoying to your potential leads. When you aim your focus on specific consumers looking for services that are related to your business, you can build better relationships.   


  Perhaps the best benefit of SEO? The cost… or lack of cost. SEO gets clicks, and sales (we hope!) for the wonderful price of $0 per month. How? Well, Google’s organic rankings come from their algorithm, which determines which webpage’s information relates closely to the “searcher’s” inquiry. This can result from keywords coming from your web pages that may not be imputed on any sort of ads you may be running (we will talk about paid ads in a future blog).    This doesn’t mean that getting a perfect SEO score (yes, you can test it) comes for free. It is important to have good content, detailed content, in all areas on your webpage. Make sure each page describes services you provide, or products that you sell, in great detail. Have pages for each option, and make it accessible like this:       It’s time to beat out the competition, are you ready? I first recommend seeing where you stand. There are a few tools you can use to test your SEO score. One example is: Woorank. I like this site because it gives you your score, shows the good, the bad, and the ugly. The tool also shows you what you can and should do to improve your SEO. You can try most tools for free, or get extra optimization help by paying a premium.    Once you run a report, it’s time to get to work. Fix the issues, and constantly monitor your information. I do think it’s important to mention - don’t expect results to happen overnight, it can take up to 6 months for SEO strategies to yield return. If you’re like me, and impatient, just chill. Put the work in, and get the reward.  

Unit Testing with CakeDC DB Test

The only way to go fast, is to go well, my Uncle Bob always said. Research has shown that development with TDD evolves 10% faster than work without TDD. [See here] CakePHP comes with comprehensive testing support built-in with integration for PHPUnit. It also offers some additional features to make testing easier. This article will cover how to write Unit Tests with CakePHP and using the CakeDC DbTest plugin.
First, let's bake a new project: composer create-project --prefer-dist cakephp/app:4.* Now, we need to think  about a model so we can create it and test it. I guess everybody has written a Products model before, our model would looks like this:

  • Name (string)
  • Slug (string, unique)
  • Description (text)
  • Price (decimal)
If you are not familiar with Slug, Slug is the part of a URL that identifies a page in a human-readable way, usually for pages with friendly urls. It will be the target of our tests. bin/cake bake migration CreateProducts name:string slug:string:unique price:decimal[5,2] description:text created modified Pay attention, for slug, It was created with a unique index. Meanwhile our goal will be to have urls like: /slug-of-product and this way, the slug needs to be unique.
Let's run the migrations for database: bin/cake migrations migrate At this point, our database is ready with the `products` table and we can start coding and writing the tests. * Note: some points were abstracted, such as installation, project configuration, and shell commands, because that's not the goal of the article. You can find all information on these in the cookbook.
Let's bake the models, controller, and templates for Product: bin/cake bake all Products
Now that we have all the Classes we can start writing the unit tests. Let's start with ProductsController, writing one test for add Product: tests/TestCase/Controller/ProductsControllerTest.php public function testAdd(): void     {         $this->enableCsrfToken();         $this->enableRetainFlashMessages();         $this->post('products/add', [             'name' => 'iPhone 11',             'slug' => 'iphone-11',             'price' => 699,             'description' => 'Lorem ipsum dolor sit amet, aliquet feugiat.',         ]);         $this->assertResponseSuccess();         $this->assertFlashMessage(__('The product has been saved.'));         $this->assertRedirect('products');     } Let's write another test that tries to add a duplicated product. First, we need to update the fixture, then write the test: tests/Fixture/ProductsFixture.php     public function init(): void     {         $this->records = [             [                 'id' => 1,                 'name' => 'iPhone SE',                 'slug' => 'iphone-se',                 'price' => 399,                 'description' => 'Lorem ipsum dolor sit amet, aliquet feugiat.',                 'created' => '2020-04-23 13:12:58',                 'modified' => '2020-04-23 13:12:58',             ],         ];         parent::init();     } tests/TestCase/Controller/ProductsControllerTest.php public function testAddDuplicated(): void     {         $this->enableCsrfToken();         $this->enableRetainFlashMessages();         $this->post('products/add', [             'name' => 'iPhone SE',             'slug' => 'iphone-se',             'price' => 399,             'description' => 'Lorem ipsum dolor sit amet, aliquet feugiat.',         ]);         $this->assertResponseSuccess();         $this->assertFlashMessage(__('The product could not be saved. Please, try again.'));         $this->assertNoRedirect();     }   With these tests, we know the work is complete when the acceptance criteria (the slug of product must be unique) of the tests is passed.
That's all? No, this article it's not only about tests, this article is about the CakeDC DbTest plugin and how it can be advantageous.

CakeDC DB Test

Maintaining fixtures on real applications can be hard, a big headache. Imagine writing +1k products on ProductFixture, and adding a relationship like Product belongs to Category, then having to write new fixtures and keep them in sync. Real applications usually have features like authentication with ACL, where each User has one Role, and each Role can access many features. Administrator has full rights, Manager has many rights, and so on.
Keeping all of this information in our fixtures is painful. Most of the frameworks have plugins to help with that issue. Thanks to the CakeDC team, we can easily let the DbTest to do the "dirty" work for us: Let's install and load the plugin: composer require cakedc/ bin/cake plugin load CakeDC/DbTest
Then configure the plugin on project:
  1. Copy/replace the phpunit.xml:
  2. Configure test_template datasource on config/app.php:
'Datasources' => [     // ...     'test_template' => [         'className' => Connection::class,         'driver' => Mysql::class,         'persistent' => false,         'timezone' => 'UTC',         //'encoding' => 'utf8mb4',         'flags' => [],         'cacheMetadata' => true,         'quoteIdentifiers' => false,         'log' => false,         //'init' => ['SET GLOBAL innodb_stats_on_metadata = 0'],     ],     // ...
Now, we can delete our fixture and generate the dump of our database for using on tests: // migrate the database for template bin/cake migrations migrate -c test_template // import fixtures bin/cake fixture_import dump // generate dump /bin/cake db_test -i   Finally, we can see some advantages of CakeDC DbTest:
  • Speed.
  • Maintain fixtures with your regular database tool.
  • Run migrations to your dbtest db too.
  • Copy data from your live db to reproduce bugs.
That's all, bakers. Now we have test_db.sql, and you can see how our fixtures will come from this data. You can check the code source of this article on this repository:    

CakeFest Is Going Digital!

What a strange unprecedented time we are living in, right? Thanks, COVID-19. CakeFest, just like many other conferences and events, has been up in the air. Our team spent weeks discussing the possibility of moving forward as planned, having backup plans, or ways out of contracts should the emergency continue. After negotiations with pending sponsors, venues, vendors, etc., we toyed with the idea of going virtual and following suit of many others. After discussions with the core team, it was decided that this was the way to go.    This virus infused world is uncharted territory for billions of people, but one thing remains the same among us all…. the safety and health of our clients, families, and teams is the number one concern and priority. I’m sure everyone has encountered those who don’t understand these types of decisions, but allow me to put some numbers into perspective: Currently, there are 1,696,588 cases of COVID-19 worldwide, and 105,952 deaths have been reported  (as of April 12, 2020 via World Health Organization). According to “The virus can spread between people interacting in close proximity—for example, speaking, coughing, or sneezing—even if those people are not exhibiting symptoms. In light of this evidence, CDC recommends wearing cloth face coverings in public settings where other social distancing measures are difficult to maintain (e.g., grocery stores and pharmacies) especially in areas of significant community-based transmission.”    So what I am reading is that someone who has it, may not even know they are carrying the virus, and can spread the germ by just being in the same area as a peer. This is even more frightening due to the fact that there’s no research to this new virus, therefore no cure or vaccine to combat its effects on those infected.    With the statistics and facts about this virus, we made the difficult decision to go digital for CakeFest 2020. We understand that our intended dates in October are still far away, but without knowing how regulations and orders will change from government officials, it is hard to plan such an important event. Hopefully after learning more about how we came to this decision, you will understand and support us. We were extremely excited to bring the Cake to Los Angeles, but not at the cost of anyone’s health. We also hope to still deliver the knowledge, information, and possibly some ElePHPants to our virtual attendees this year (while also keeping you safe). The good news is, we can host in LA next year! And look at it this way, you can watch and learn in your pajamas!    So what will CakeFest look like this year? We are still in the planning phases, and allowing for sponsors. After a lot of research we hope to find the best platform for our needs, and the best speakers to share the knowledge. Speaking of which, if you have tips or suggestions for hosting a virtual conference, we’d love to hear from you! You can email us.  Tickets will be sold (for less cost, there's a silver lining) for full access to all videos - before and after the event. We will conduct the conference as normal, but the difference is, we won’t be face to face   To keep up with the planning process or any changes, make sure you follow us on Twitter, or Facebook. You can always stay up to date at, too.   

Improving your mental health while wor...

We’ve previously covered tips, tricks and resources to improve your working at home productivity - today we chat about how to improve your mental health!  There are currently more and more people switching over to remote working - perhaps your company has changed policies, or maybe you’ve been forced to work at home due to a stay-at-home order - whatever the case, mental health while working at home is vitally important. Some of us are made to work at home - working from an office, may not be your jam, and the peace and serenity that a home office offers completes the mood.  However, there are some of us that enjoy the daily routine, the commute to the office and the morning catch up around the coffee machine!  So have you been stuck lately feeling a little more down than usual? Here are some tips to increase your mental health during this time.

Keep your morning routine

Even though you are working from home, and technically can get away with wearing your pajamas all day - you definitely shouldn’t! A morning routine helps set the mood for the day. Perhaps this includes getting ready, dressed or going for a morning run. 

Exercise and eat well

We aren’t talking about a full gym session - merely taking some time to move around. A walk around the block or a bit of stretching will help get those endorphins going. A good diet also goes a long way to helping you feel better - unfortunately too much sugar and too many carbs can have a negative impact on your mental health.

Focus on the now

Practice mindfulness - the ability to focus in on the here and now helps us to drop the negative or difficult emotions that weigh us down. 

Open up to someone

You are valued by others - knowing that is important. Finding a safe space to chat about things goes a long way to lifting the mood. Not sure where that safe space is? Check out for some great resources and information.

Take a break

Working from home can sometimes feel endless - some of us struggle to log off at “home time” because, well, you are at home. But this important step is essential to your mental health. Take moments throughout the day to step away - just a couple of minutes to grab some water and take a break. If you haven’t already, please sign up and donate to OSMI - Open Sourcing Mental Illness. We’ve previously chatted with Ed Finkler, OSMI’s founder. CakeDC fully supports OSMI and we love opening up the conversation around mental health - Do you?

Introduction to CakeDC Api plugin


The CakeDC API plugin was created with the goal to prepare abstract solutions that solve generic tasks -in case of creating a rest API. It provides such features like automatic rest API generation based on db schema, support nested routes. It also allows the use of different formats like json or xml, and easily adds their own custom format. It helps to solve generic tasks appearing in development of any API, like pagination, data validation, adding common data to response, or building metadata, about data objects.


The CakeDC API plugin hardly depends on the CakeDC Users Plugin. For authentication it is highly recommended to use CakePHP Authentication plugin configured as middleware.


You can install this plugin into your CakePHP application using composer. The recommended way to install composer packages is: composer require cakedc/cakephp-api  

 Load the Plugin

Ensure  The CakeDC API Plugin is loaded in your src/Aplication.php in bootstrap method. php     $this->addPlugin(\CakeDC\Users\Plugin::class);     $this->addPlugin(\CakeDC\Api\Plugin::class, ['bootstrap' => true, 'routes' => true]);


Minimal configuration to allow non authorized requests require you to copy file: ./vendor/cakedc/cakephp-api/config/api_permissions.php.default to ./config/api_permissions.php


Lets bake table blogs with two fields id and name. After that, the next requests would be possible to perform to api. Requests would be performed using curl. Request: curl http://localhost:8765/api/blogs Response: {     "status": "success",     "data": [         {             "id": 1,             "name": "blog001"         }     ],     "pagination": {         "page": 1,         "limit": 20,         "pages": 1,         "count": 1     },     "links": [         {             "name": "self",             "href": "http:\/\/localhost:8765\/api\/blogs",             "rel": "\/api\/blogs",             "method": "GET"         },         {             "name": "blogs:add",             "href": "http:\/\/localhost:8765\/api\/blogs",             "rel": "\/api\/blogs",             "method": "POST"         }     ] } Request: curl -d "name=blog001" -H "Content-Type: application/x-www-form-urlencoded" -X POST http://localhost:8765/api/blogs Response: {     "status": "success",     "data": {         "name": "blog001",         "id": 1     },     "links": [] } Request: curl -d "name=blog002" -H "Content-Type: application/x-www-form-urlencoded" -X PUT http://localhost:8765/api/blogs/1 Response: {     "status": "success",     "data": {         "id": 1,         "name": "blog002"     },     "links": [] } Request: curl -X DELETE http://localhost:8765/api/blogs/1 Response: {     "status": "success",     "data": true,     "links": [] } For more complex features about plugin initialization and configuration based on routes middlewares, we plan to create an additional article.

Services and Actions

In the REST recommendations documents names defined as a noun. Here, services come into play. It describes business entities. From other side actions define the verbs that describe the operations that should be performed on the actions. Common and difference between controller classes and services. The common part is the service is the managing the choosing action to execute. The primary difference is that service could be nested, if this is defined by request url. Common and difference between controller actions and service actions. The common part is the action defined logic of the request. The primary is that each service’s action is defined as a separate class. This means that generic actions could be defined as common class and reused in many services. From the other side, an action class is able to extend if the system has slightly different actions. This way it is possible to build actions hierarchy. Both service and actions define an event during this execution flow.  Main service events: * Service.beforeDispatch * Service.beforeProcess * Service.afterDispatch Main action events: * Action.beforeProcess * Action.onAuth * Action.beforeValidate * Action.beforeValidateStopped * Action.validationFailed * Action.beforeExecute * Action.beforeExecuteStopped * Action.afterProcess Crud actions define events that depend on the type of action, and more details could be checked in documentation. * Action.Crud.onPatchEntity * Action.Crud.onFindEntities * Action.Crud.afterFindEntities  * Action.Crud.onFindEntity

Nested services

Consider we have request with method POST /blogs/1/posts with data like {"title": "...", "body": "..."} As it is possible to see there is nothing in the given data about the blog_id to which the newly created post should belong to. In the case of controllers we should define custom logic to parse a route, and to consume the blog_id from url. For nested service all checks and records updates are automatically executed. This will happen for any crud operations, when detected by the route parent service. So for example: GET /blogs/1/posts, will return only posts for the blog with id 1. Logical checks are also performed, so for request: DELETE /blogs/1/posts/2, a user gets an error if the post with id 2 belongs to the blog with id 2.

Action inheritance

As each action can be defined as a separate class, it is possible to use class inheritance to define common logic. For example:  Add and Edit actions.

Extending services and actions with shared functionality

The alternative way for defining common logic actions is using action extensions. Action extension is a more powerful feature and could be used for global tasks like search or pagination. It is also possible to create service level extensions. Those extensions work on the top level of the execution process, and could be used for things like adding cors feature, or to append some counter into response.

Add service actions from service::initialize

This is a recommended way to register non crud actions. The mapAction uses the Router class syntax for parsing routes. So on any special use cases well described in cakephp core.     public function initialize()     {         parent::initialize();         $this->mapAction('view_edit', ViewEditAction::class, [             'method' => ['GET'],             'path' => 'view_edit/:id'         ]);     }

Configure actions using action class map.

Each action class uses $_actionsClassMap for defining a map between crud (and non crud) actions on the name of the action class. Non crud actions should be additionally mapped, which is described in the previous step. use App\Service\Protocols\IndexAction; class ProtocolsService extends AppFallbackService {     /**      * Actions classes map.      *      * @var array      */     protected $_actionsClassMap = [         'index' => IndexAction::class,     ];

Configure service and action in config file

Service options are defined in the config/api.php in Api.Service section. Let's consider configuration options for ArticlesService. Configuration are hierarchical in the next sense: 
  • define default options for any service within the application in the Api.Service.default.options section.
  • define options for any service within the application in Api.Service.articles.options section.
All defined options are overridden from up to down in described order. This allows common service settings, and the ability to overwrite them in bottom level.
  •  Api.Service.classMap - defines name map, that allows defining services action classes with custom location logic.
    Any action, that could be loaded as default action defined in fallback class, or specific action class could be configured using configuration file.
    Let's consider how one can configure options for IndexAction of ArticlesService.
    Configuration are hierarchical in the next sense: 
  • one can define default options for any action for all services in the application in the Api.Service.default.Action.default section.
  • one can define default options for index action for all services in the application in the Api.Service.default.Action.index section.
  • one can define options for any action in the specific (articles) service in the Api.Service.articles.Action.default section.
  • one can define options for index action in the specific (articles) service in the  Api.Service.articles.Action.index section.

Crud and non crud methods. Mapping non-crud actions.

Crud services mapped automatically in two levels routing by FallbackService.

Index and view. Formatting output

The CakeDC Api Plugin is flexible and provides multiple ways to prepare result data for the response objects. There is a list of main options.

Use Entity serialization

The most trivial way to convert data is using entity serialization. When converting an entity to a JSON, the virtual and hidden field lists are applied.  Entities are recursively converted to JSON as well.  This means that if you eager, and loading entities and their associations, CakePHP will correctly handle converting the associated data into the correct format. Additional fields could be defined using Entity::$_virtual and hidden using Entity::$$_hidden.

Build object manually from Action::execute

In this case users manually perform mapping of requests received from model layer to output array. public function process() {     $entity = $this->getTable()->get($this->getId());     return [         'id' => $entity->id,         'name' => $entity->name,     ]; }

Use Query::formatResults in model layer

The request could be formatted in model layer using: Query::formatResults. So in this case, the process action just calls for a needed finder from the model layer and returns the result. public function findApiFormat(Query $query, array $options) {     return $query         ->select(['id', 'body', 'created', 'modified', 'author_id'])         ->formatResults(function ($results) use ($options) {             return $results->map(function ($row) use ($options) {                 $row['author'] = $this->Authors->getFormatted($row['author_id']);                 unset($row['author_id']);                   return $row;             });         });

Use Action extensions to format output

In index action defined callback Action.Crud.afterFindEntities, which called after data fetched,  could be used to extend or overload results coming from the database. Callbacks are catch-in-action extensions and could be applied to multiple endpoints. For view action defined Action.Crud.afterFindEntity, which called after single record fetched.

Use Action extensions to append additional data to output

Sometimes there is some additional information needed to be presented in some group of endpoints. In this case it is possible to implement an action extension to append additional data. For example, pagination provides information about number of pages, records count, and current page number. Another example for additional data is some execution statistics about the query. Here you see main parts of appending such data from extension. class PaginateExtension extends Extension implements EventListenerInterface {     public function implementedEvents(): array     {         return [             'Action.Crud.afterFindEntities' => 'afterFind',         ];     } ...     public function afterFind(EventInterface $event): void     {         ...         $pagination = [             'page' => $this->_page($action),             'limit' => $limit,             'pages' => ceil($count / $limit),             'count' => $count,         ];         $result->appendPayload('pagination', $pagination);     }     The renderer class describes how to handle payload data. For example in JSend renderer, all payload records appended to the root of the resulting json object.

Rendering output. Renderers.

Renderers perform final mapping of response records to output format.  Such formats like xml, json, or file are provided by  The CakeDC API plugin. JSend is the json extension with some additional agreements about returning results.    

Remote Work, Actually Works!

As a fully remote company, the Cake Development Corporation team is used to working from home. We communicate with our team daily, keep on top of tasks, hold each other accountable and support one another. Heck, a lot of us even do it with kids in the household, too! I consider us extremely lucky to be able to work while juggling an at home life at the same time.  It has worked for CakeDC over the past decade, and in my opinion, can work for most companies.   As of last month, an estimated 4.7 million people were working remotely, which grew 44% over the last 5 years. This is just in the United States. Remote work is becoming the norm.  Obviously for the next few weeks, this number will be drastically increased, but perhaps this will educate companies on the advantages of a WFH culture. Advantages to employers, besides the operations cost (other than payroll, of course), which can decrease by close to 90%, includes increased productivity. Decreased overhead results in higher salaries, which results in more quality candidates and employees.  I understand the concern of the ability to micro-manage (UGH) being unavailable, but according to statistics, 85% of businesses that work remotely confirmed that productivity increased in their companies. When there is more flexibility, there will be higher employee morale.  With the current situation arising from COVID-19, a lot of businesses are forced to transition employees to WFH in order to stay afloat. This not only keeps employees and clients safe, but family members too.  I have put together some stats and resources that may help CEO’s and employees transition a little bit easier.  


It is absolutely essential to keep open communication among a team when everyone is working remotely. Our team uses RocketChat* ( I will include some links in the resource section at the end of this blog), and it has proved to be effective. A chat allows for quicker response time, as well as allowing individuals to set their status (like busy, away, at lunch, sick, etc.). This is a good way to get quick answers, as users can be alerted when they have been messaged or tagged in a company chat. Most of our team work in different timezones, so this is a good way to “stay in the know” about everything happening day to day. We separate chats according to their department. For example: marketing, development, general, etc. We also have the option to private message with co-workers when needed.  Other ideas, if not daily chat interaction, include scheduled meetings. For most of our team meetings, we use Zoom. This tool allows for audio only, as well as video chats.  

Accountability & Time Management:

It is important that tasks are managed and followed through. We use programs like Redmine* to track hours and work, in addition to weekly, or monthly conference calls for each department.  If you or your team are new to remote work, it may be in your best interest to assign a project manager, someone who will assign work, track hours, and ensure that work needed is being completed in a timely manner. Without each person being held accountable, the ship will sink, fast. For personal accountability, there are many free apps and tools available. One example is Trello*. This is a scheduling board so that tasks are not forgotten and you can plan your work week and stay organized. Once tasks placed on your “schedule board” are completed, you can make note of it and stay focused on each one according to their priority. You can also keep track of documents and reports. The boards look like this:    


Documents & Recording - We <3 Google Docs - we are able to share and edit internally, we couldn’t function without it.  Docusign is a good tool for contracts / documents needing signatures Invision Freehand - this is a tool where you can create presentations, and allows comments and feedback between designers. Good for freelance designers!    Organization/Tasks -  Trello - for individual time management scheduling.  Redmine - for project assigning, time recording, HR management,    Communication -  RocketChat - allows for multiple internal chats all rolled into one link (allows for individual logins) Zoom - good for meetings. Allows audio and video chats for teams or reps and clients.  Slack - also a great option for expanded chats. Each person has a “screen name” and can be personally messaged, or public groups can be created (we use this as well). Slack also allows video calls with their paid subscription.  Google Hangouts WhatsApp - if your team is diverse, like ours, WhatsApp is a must. We are able to text each other, regardless of location - no fees, no service problems (if you have wifi of course).  World Time Buddy - this is a tool that I am not familiar with, but being the designated “scheduler of meetings”, I think I would find it useful. If your team works within different timezones, this allows you to add the location of your teammates, compare times, and find ideal times for meetings.    Community - In the development world, community support sites are absolutely one of the most important tools. This allows for individuals - inside or outside of your company - to communicate and help each other out. Most developers are aware and utilize these, but if not, may I suggest: Discourse - chat support  GitHub - our favorite team collaboration tool. GitHub allows for hosting, editing and managing products. We use it for building software and allow for community interaction. It also integrates with a lot of other tools, which is a plus!  

Take Away:

These resources are just a drop in the bucket compared to what is available to remote workers. I think this is a reflection of how WFH is becoming more accepted and more normal in the corporate world. I’d love to hear some of your favorites:  Let’s take away some positivity to the current quarantined times, and encourage more companies to follow suit. In today’s world, flexibility goes a long way and this type of transition can be mutually beneficial for employers and employees. I mean look at us, we are PRETTY normal… right?  Speaking of being in quarantine - stay healthy, stay inside, and wash your hands!  

Two Factor Authentication & CakeDC Use...

Why 2FA?

Nowadays we have noticed that many of the websites or applications that we access offer the option to activate an extra layer of security called Two Factor Authentication, better known as 2FA. Most of our lives happen on our mobile devices and laptops, so it’s not a secret that cyber-thieves would like to gain access to our personal and financial data. This is why adding an extra layer for protecting logins is worth it.  2FA  is an extra layer of security to make sure that someone that is trying to gain access to an account is who they say they are. The first layer is generally a combination of a username and password, and the second layer could ask for a code that is sent to your phone, a fingerprint scan or the name of your best friend. Currently 2FA has become a security standard in the digital world.

How does it work?

First the user will enter his username and password, then instead of getting in immediately into the system, he will be required to provide  additional information. Which could be one of the following options or factors:
  • Something you know : This could be a password, a personal identification number (PIN), answers to a secret question or a specific keystroke pattern.
  • Something you have: This is something the user owns, a physical device, like a mobile phone, an id card, an usb stick, a token, etc.
  • Something you are: This could be face or voice recognition, retina scan,  fingerprint, DNA, handwriting.

CakeDC Users Plugin and 2FA

There are various ways to implement Time-based One-Time Password (TOTP), Short Message Service (SMS), Electronic Mail (Email),  Universal Second Factor (U2F). CakeDC Users Plugin provides the ability to enable in your site TOTP or U2F. 

TOTP Google Authenticator

Enabling 2FA Google Authenticator in CakeDC Users Plugin is quite easy, it just takes a few minutes. In case you have not installed CakeDC Users Plugin in your application, follow the installation steps described here. Once you have installed the plugin and your basic login is working, you just need to do the following:
  1. Run the next command: composer require robthree/twofactorauth
  2. In Application::pluginBootstrap() add the following: Configure::write('OneTimePasswordAuthenticator.login', true);
  Once you have 2FA enabled in your site, when you try to login will happen next 
  1. Type your username and password.   
  2. You proceed to the next step where you are asked for the authentication code
    • First time you will be shown a QR code that you need to scan from your authenticator application.   
    • Next time you will only get the input to type your authentication code  
  3. You open the authenticator application to get a secondary code called a one-time password (OTP)—usually six characters in length. There are many options in the market for the authenticator application, some of the most used are: Google Authenticator, Duo Mobile, FreeOTP etc.
  4. You type the 6-digit code into the website, and you’re in!


If you want something more solid and reliable, then you could use U2F (Universal 2nd Factor) standard created by the FIDO Alliance. With this kind of authentication you use a physical security key, and insert that into your PC, touch the key’s button, and you’re “automatically” logged in.  U2F standard was implemented in CakeDC Users Plugin by using  the YubiKey, the most famous and common example of U2F. To enable 2FA via Yubico follow the next steps:
  1. Run the next command: composer require yubico/u2flib-server:^1.0
  2. In Application::pluginBootstrap() add the following: Configure::write(‘U2f.enabled’, true);
Yubico is a hardware based 2FA, it’s a small device with one end that slots into a standard Type-A USB port. You just need to Insert your YubiKey and touch it! You won’t need to manually enter the code. Take into account that you will need to use https to be able to use 2FA features in your applicatins.

So, what to choose for two-factor authentication? There is no universal answer, it will depend on the level of security you are expecting, but start protecting your account by enabling 2FA! In this article you could noticed how easy is to enable 2FA in any CakePHP application by using CakeDC Users Plugin.

Things about CakePHP that you probably...

CakePHP is often more than just a framework to many in the community, but there are some great features and treasures that many may not know about - so join us with your piece of cake and let’s check these out!

Cake Bake

Cake Bake is an incredibly helpful tool for any developer starting up a new application, or adding new functionality to an existing one.

Using your existing database schema (that follows the CakePHP conventions), running the cake bake command will quickly generate a fully working application skeleton with all your database fields and associations. It will even generate sane validation rules and pretty view files for you.  This allows you to concentrate on the features of your application that actually matter, rather than the generic admin CRUD interfaces. Have some kind of structure or class in your application that you regularly need to create? Maybe a specifically formatted view, or adaptor class? Cake Bake allows you to easily extend it and create your own bakeable templates. Find out more about Cake Bake in the CakePHP Cookbook (i.e. the framework docs)

CakePHP standalone packages

CakePHP’s core is built using standalone packages - this means that you aren’t bound to the framework.

The ORM, database, console, log to just name a few are available to use in your own PHP projects - even if you aren’t using CakePHP. Have you checked these out

Interactive console (REPL)

Not many developers are aware that CakePHP ships with an interactive console tool (Or REPL - Read Eval Print Loop).

You can start the console with bin/cake console. This console tool allows you to quickly and easily explore CakePHP and your application. Use it to quickly check if a finder method is working as expected, or to experiment with a specific query. Anything that you can code, you can run in the interactive console, much quicker and easier than coding a class.


Chronos is a standalone DateTime library originally based off of Carbon.

The biggest difference between Chronos and Carbon is that Chronos extends DateTimeImmutable instead of DateTime. Chronos is immutable by default. Carbon is not. 

CakePHP Core team

The core team is built up of community members - just like yourself - who contribute their time to improving the framework.

All of their time is volunteered - so if you see them in the support channels, be sure to say hi! How did they get onto the core team you ask? They showed commitment to improving the core and the community.

There are some plugins that are just around to make your life a little easier

While most plugins were developed to add to the functionality of your CakePHP application without too much extra effort, there are some plugins that have been written to actually just make your life easier.

One such plugin is the CakePHP IDE helper, written by dereuromark. This plugin improves your IDE compatibility and uses annotations to make the IDE understand the "magic" of CakePHP - so you can click through the class methods and object chains as well as spot obvious issues and mistakes easier. For a curated list of CakePHP Plugins, grouped by topic, check   What’s your favourite part of the CakePHP framework or community? Let us know!

How not to be a good CakePHP developer...

I have been writing code for almost 20 years. It hasn't always been PHP, the first 6 or 7 years I was very involved with the Java world. While I partially agree with people thinking you can write bad code with PHP (more than other programming languages), I personally think that you can write bad code in any language because bad practices are common for all of them. For instance, you can call functions or initialize variables inside a loop, you can hit database many times, or you can repeat yourself no matter the language you use. That said, I want to list the most common questions that good developers should never ask themselves.   1.  Are you serious? Is it possible to add code to tables / entities? If you want to be a bad CakePHP developer, this is your golden rule. Almost every code we receive for review follow this one. Controllers with thousands of lines and models with just baked code.  That’s wrong because all the logic related to your tables should never be in your controllers (or helpers / views).  

  2.  I love using SQL queries in my code, is it really so bad? The short answer is YES. It’s bad, really bad. It is the greatest source of issues and unpredictable behaviors. It is hard to test but of course if you are asking this question you will probably ask the next one.     3. Tests? Baked tests are enough, aren’t they? Ehm.. no. You won’t be a bad developer if you don’t have 100% coverage. Even more, I don’t like to talk about what coverage is good because it exclusively depends on the project itself. I would say that you should feel good if your core features are fully covered.   4.  Why should I put the code in one place only if you can copy and paste it everywhere? Even most modern IDEs identify this as a bad practice now, but this is something we see in almost every code we get for review. People prefer to copy and paste the same function in multiple classes instead of creating a Component or Behavior or even a library and use it everywhere.     5.  Plugins? What is a plugin? CakePHP has a very large set of available plugins, or you can always start your own plugin and publish it so other people can use it. Plugins are one of the most important features in CakePHP since you can encapsulate a feature or a set of features to use them in multiple projects. Just be careful and don’t overplugin.   6.  How the hell would somebody hash a password? Well, even when you think it's a joke, no, it's not. Some people think hashing a password is not required. CakePHP provides several options for password hashing to secure your application.     7.  Do you document your code? I don’t think it is useful. Having the availability of documentation aids in understanding the intended use, as well as the expected functionality and result of the code's execution. It is pretty easy if you just document your code while you are doing it instead of waiting to have 20 classes to document.     8.  Should I declare variables to execute find methods / DB / Service requests or should I put them inside a for/while loop to "save" memory? Please no, doing external service requests (DB / File / Web Service) from inside a loop affects application performance very badly. You should always try to put the result in a variable and then use it inside the loop.   9.  Who needs coding standards? Coding standards help make code more readable and maintainable. For CakePHP applications, the Cake Conventions and Coding Standards should be applied.     10.  Is it better to make all calculations inside for/while loops level in code instead of calculating at the DB/query level? Data iteration at the DB level offers way better performance than iteration done at the application level.
  To summarize,  for sure there are lots of things to look at, but from my perspective these are the 10 basic questions that can define you as a good (or bad) developer. I hope you've never had these questions before but if you do, don’t worry about it, don’t tell anybody, just follow these recommendations to improve yourself!  

10 Features Of A User Friendly Website

Let’s talk about appealing web presence. There are a lot of factors to consider when determining if a site is “user friendly”, and I’m going to give you some tips to make sure yours makes a good impression.   Here are some of the top must-haves for a good web page:  

1. Layout and design

This is extremely important as it is the first thing a visitor will see. If your layout is scattered, or pages are hard to find, they will be running to the red x. In this case, less is more. I am a firm believer in simple clean layouts - I mean it works for Google, right?  Make sure your pages are seen and easy to access. Make sure your design is aesthetically pleasing, and that is easier than it sounds.  This brings me to the next point.  

2. Good, easy to read content

Not only is accessibility important, but the content that the visitor is reading is a direct reflection on your brand. Users are generally on a website for a very specific reason, and if they have landed on yours, then you need to make sure they know that they are in the right place. It is important to immediately list who you are and what you do. It’s okay to have detailed pages to navigate to, but always make sure your homepage illustrates the services that you provide. Don’t lose a good lead due to bad content, that’s just embarrassing.  Speaking of good leads, a lot of people search for services on the go which means…

3. Be mobile compatible 

More than ever, consumers are using mobile devices to browse the web. You can even order groceries for pickup using your phone. It is absolutely essential that your website is mobile friendly - if you want added success. If you aren’t sure how your site appears to mobile users, it’s an easy investigation. If searching for your site via mobile device isn’t enough, Google actually offers tools to do it for you. A good developer and design team can assist in making sure that your website is mobile compatible, but there are also some third party providers that you can rely on after your initial site build, if mobile wasn’t included. Basically… just make sure it happens.

4. Have ways to be contacted

If someone is on your site, and can’t find an answer to their questions, do you want them to leave? The answer is no, obviously. It is important to have multiple ways to reach some sort of customer service. I personally like a number, chat, and email option, but I guess that is being demanding.

5. Browser compatibility

A lot of times, as we are editing or designing sites, our team will compare screen grabs and the site looks totally different on each one. This is a top priority and it gets fixed ASAP. I really don’t understand why this happens, but it must be combated nonetheless. Mostly, it has to do with sizes, layout, background images, etc. It is just important to make sure that your site looks the same no matter who is looking at it and no matter which browser they choose to do so with. These issues are easy to fix, but sometimes tedious. ALWAYS check each popular browser before deploying.   

6. Speed

I’m impatient, and I don’t care to admit it. I would say most people have a short attention span. If I land on a website and I get the spinning wheel, I will give it a chance. If every page has slow loading speed, I am probably going to move on. It’s easy to tell if it’s a webpage causing the issues, so it’s always better to troubleshoot this ahead of time. Once again, there are a lot of free tools you can use to test your speeds. A good free one to try is: - and they will even provide issues & fixes for your slow page. 

7. Hosting

Good speed and function is a result of a good hosting service, too. This is something that may not even cross your mind as you are building your brand and your website, but it is so important. The hosting provider you choose can make or break your impression. Pick wisely, and do your research. There is no reason to risk security or your site breaking every time there is an update. You’ll thank me later for this one

8. Security

I mean this goes without explanation, right? Especially for e-commerce sites - online shopping - anything that requires customer information. Nothing will ruin a reputation faster than a compromised system. PLEASE make sure all backend security options are locked tight.

9. Be Transparent - and bug free

There are going to be errors. No one is perfect - no website is perfect. I always appreciate when a site provides on-screen error descriptions so that I know where I (or the page) has gone wrong. It opens up the trust door with your visitor, and makes them more likely to stick around or retry the action. This also requires the developer to stay in tune with these errors and provide fixes. We want a robust site, right?  An important thing to remember is always check the status of your webpage, and fix issues fast. Many development companies that offer these services, are avialable to help round the clock. For example, CakeDC offers project management services (see here), which allows client to rely on us for development services long term on the existing projects. 

10. Be ever changing

It is important for a business, entrepreneur or developer to adapt. This is especially true for long lasting websites. Say a page has been around for 15 years - things have changed - new features are available… keep up with the times. It is a competitive market that one must always stay in front of. Don’t be afraid of change. 
  Now go… go out there and make your website great again.   

15 Years of CakePHP

This April we will be celebrating 15 years of CakePHP! I can’t help but feel honored to have been a part of this framework, made lasting connections, and help build up the community. As one of the founders of the CakePHP project, I want to express how excited I am about the positive progress that has taken place over the years. We started out with just a few core members, which got us pretty far. Looking back, it’s crazy to see how much our community has grown, and with all of the input, this project has become one of the longest developed PHP framework available today! Our community has always centered on going the extra mile in order to acquire the best results in every aspect. This is not to say that some ups and downs have not hit us along the way in the last 14 years. Indeed, there have been bumps in the road, and some discussions regarding the route the project should take moving forward. Heck, there have even been some individuals who have opted to depart from the team. Other team members have decided to place their feelings down and their dedication in front at all times to work past disagreements in order for CakePHP to continue to evolve in the positive ways it has. Each year, people with diverse visions are joining our core team, and the future for CakePHP is promising. The team is working harder than ever before to keep CakePHP in its reigning position, and promoting it in the open source world for it to continue to impress. Our goals are clear - and if we have anything to say about it, CakePHP is not going anywhere, anytime soon. Our team is certainly stronger and more determined to continue giving the project their all. There are so many things that make the open-source community amazing - I mean think about it: people from different backgrounds, who speak different languages, and who have different beliefs come together and work jointly to attain a common goal. It’s pretty cool. I have worked with open-source software for more than 25-years. Even so, I am still amazed daily on what can be accomplished by such a diverse group of individuals. Actually, I think the rest of the world could take some notes from the open-source community and the benefits that come from people working together. The friends that I have made in the open-source community throughout the years are way too many to name one by one, but I am grateful. This goes on to reflect my awesome experience with it, one that will always be present on my mind. I want to finally express to the CakePHP core team, the CakePHP community, and everyone I have had the pleasure and honor of working with at CakeDC, that I am extremely thankful for absolutely everything. Here is to 15 more years of CakePHP.

We Bake with CakePHP