CakeDC Blog

TIPS, INSIGHTS AND THE LATEST FROM THE EXPERTS BEHIND CAKEPHP

Using a vagrant box as quick environme...

We've decided to create a simple vagrant box with all the required packages to improve the environment setup step in our free Getting Started with CakePHP training session. We used other tools in the past, but we hope vagrant will help users to install a common environment before the session to get the most of it.

Requirements

Setup

  • Create a new folder where the code will be located
  • Create a new file called Vagrantfile with the following contents
# -*- mode: ruby -*- # vi: set ft=ruby : Vagrant.configure("2") do |config| config.vm.box = "cakedc/cakephp-training" config.vm.network :forwarded_port, guest: 8765, host: 8765 config.vm.provider "virtualbox" do |vb| vb.memory = "1024" vb.customize ['modifyvm', :id, '--cableconnected1', 'on'] end end
  • Run vagrant up
  • Wait (download could take several minutes depending on your internet connection)
  • Run vagrant ssh
Now you have ssh access to a training ubuntu (16.04) based virtual machine, with all the requirements to run your training CakePHP application.
  • Setup a new CakePHP project
cd /vagrant composer create-project cakephp/app
  • Start the local server
cd /vagrant/app php bin/cake.php server --host 0.0.0.0
  • From your host machine, open a browser and navigate to http://localhost:8765
  • You should be able to see the CakePHP welcome page
  We think this VM will enable faster environment setups, and an easier entry point to the training session. Please let us know if you find issues with this process.

Boosting your API with CakePHP API and...

A couple days ago AlexMax commented in CakePHP's IRC channel about the https://github.com/php-pm/php-pm project and it rang a bell for us. We did a couple tests internally and found this could be a great companion to our API plugin, so we wrote a new Bridge for CakePHP and ran some benchmarks.

The Cast

We put all together and created a sample application (1 posts table with 30 records) to do some benchmarks.

Benchmark configuration

We are not aiming to provide detailed or production figures, just a reference of the results obtained for your comparison. Results are generated from a development box, using PHP 7.1.12-3+ubuntu16.04.1+deb.sury.org+1 with xdebug enabled on ubuntu xenial, 8x Intel(R) Core(TM) i7-4771 CPU @ 3.50GHz We baked the application using the latest CakePHP 3.5.10, and set application debug to false, and log output to syslog. As we are interested in boosting API response times the most, we tested the following scenarios
  • A) CakePHP json output, served from nginx+phpfpm
  • B) CakePHP + API Plugin Middleware integration json output, served from nginx+phpfpm
  • C) CakePHP + API Plugin Middleware integration json output, served from php-pm
Benchmark figures were obtained using ab -n 5000 -c 100 URL

Results

Scenario requests/second avg time
A) CakePHP json output, served from nginx+phpfpm using php7.1 372.97 [#/sec] (mean) 268.120 [ms] (mean)
B) CakePHP + API Plugin Middleware integration json output, served from nginx+phpfpm using php7.1 399.79 [#/sec] (mean) 250.133 [ms] (mean)
C) CakePHP + API Plugin Middleware integration json output, served from php-pm using php7.1 911.95 [#/sec] (mean) 109.656 [ms] (mean)
D) CakePHP + API Plugin Middleware integration json output, served from php-pm using php7.2 1811.66 [#/sec] (mean) 55.198 [ms] (mean)
  These results for a NOT OPTIMIZED CakePHP application are promising, and the improvement using PHP-PM is huge in this case. There are some important considerations though:
  • PHP-FPM is mature and stable, PHP-PM is still in early development, although there is a 1.0 version released already.
  • Processes need monitoring, specially regarding memory leaks, we would need to manage a restart policy and be able to hot-restart individual workers
  • System integration, init scripts are not provided, even if this is something easy to manage nowadays via systemd or monit, would be good to have for production
  • Application bootstrapping should not be affected by the request. If your application bootstrapping depends on the request params, or logged in user, you'll need to refactor your code
  • Session handling was not tested, issues are reported for PHP-PM for other frameworks. We were aiming to stateless API's so we don't know if this would be an issue for a regular application
Performance is always a concern for the API developer, applying proven paradigms like the event driven development (https://reactphp.org/) to your existing code would be the way to go and ensure backend frameworks like CakePHP will perform as required when dealing with the peaks we all love and hate. Edit: We've added a php7.2 based benchmark, with a huge performance improvement.

Giving back to the community

This Plugin's development has been sponsored by the Cake Development Corporation. Contact us if you are interested in:      

Why an independent code review is impo...

Passbolt recently contacted us about doing a code review so we thought now would be a great time to share more about our code review process with you. While in-house and peer reviews are important to maximise code quality, it is still incredibly important to get an independent third party to review your code - that is where CakeDC can step in. Passbolt is free, open-source, self hosted password manager for teams which makes collaboration and sharing company account credentials within a team much easier. It's based on open security standards and uses OpenPGP to authenticate users and verify secrets server side. Passbolt consists of server side web app built in CakePHP providing web interface and API, and Chrome extension for client side. The overall aspects that are reviewed in our code review include a review of quality, implementation, security, performance, documentation and test coverage. When looking into quality, the team reviews aspects concerning the code following CakePHP conventions, coding standards and coding quality. Overall, passbolt’s code review revealed that CakePHP conventions and coding standards are largely followed, no concerns were detected. Implementation outlines key issues with framework use and approach. It includes reviewing the code for framework usage, separation of concerns as well as code reuse and modularity. Key recommendations are outlined at this point and guidance is given into how to solve any issues. For the Passbolt review, bigger or concerning issues were uncovered, but improvements were recommended and outlined within the closing documentation. The security portion of the code review deals with how secure the code is in terms of CakePHP usage. No security flaws were found in the passbolt code review. Our in depth code review focuses on performance, specifically investigating any bottlenecks in the code base and database as well as indexes optimization. For the full passbolt code review results, check out the Code review results. Passbolt has also posted about their review, check out their post here. If you or your company has a CakePHP application and you aren’t sure if its running at the optimum, then get in touch - Code reviews can offer insights and learning into how to improve your application.

Errors to fix today on your site

Running a website can lead to massive success for you business, however, without the proper maintenance, you can be losing out. Some errors your site can be suffering from may be minor, such as spelling mistakes, however, there may be errors that can have significant impacts such as pending security updates. Let's take a quick look at some that you should fix today! Basic HTTP errors If there are HTTP errors lurking on your site, your visitors are probably getting frustrated. Make sure to constantly review your website for these errors. Some of the more common ones include 401, 404 and 500 errors. Spelling errors, basic content duplication and broken links These are all easy and minor errors to fix, however they can lead to your visitors losing trust in your company or brand. Invalid HTML Your website’s HTML needs to follow the published HTML standards and if not, will lead to invalid HTML. Having invalid HTML leads to a multitude of things including impacted/lower SEO rankings, reduced accessibility for visitors using screen readers and other assistive technologies and browser compatibility. Pending security updates and version updates Having pending updates can open you up to malicious activity such as website defacing or stealing of confidential information. If you have an update pending, quickly update today! Incorrectly inserted analytics tags Be sure to double check that your analytics tags have been added to your code correctly. You may be missing out on valuable information that will help you improve your website. Not sure what you are doing wrong? Google offers guidelines and tutorials to get any issues sorted out quickly. Lastly, be sure to ask yourself - Have you tested? Testing is another key part to the success of your new site’s launch. Be sure to not miss this step. Not sure how to properly test your site? Here’s a great checklist to check out. From how to test elements such as HTML, CSS, security and performance through to SEO and accessibility, this checklist will guide you along best practices when it comes to testing. Another important tool to make use of is the W3 Markup validator.  

Why Mobile web design is important

With mobile traffic continuing to dominate, its just as important to get your mobile web design up to scratch. The stats for 2017 show that mobile searches once again took the lead at 50% with desktop sitting at around 45%. When designing your web application, it is key to not only consider mobile web development, but to prioritise it. Can you afford to lose over half of your web traffic due to poor design? Search engines have started prioritizing mobile friendly websites - what does this mean for you? Google has understood this shift in user behaviour, and with their mobile-first search index already kicking in, now is the time to get the mobile version of your site in tip top shape. If your mobile site lacks the same detailed information as your desktop site, you will get hurt by this indexing. Not providing key detail on your pages will shift your overall SEO rankings. Mobile optimized web design provides a better user experience for mobile users. With such a high percentage of mobile traffic, ensuring that these users get the best user experience possible on your site is vital. By ensuring that your mobile web design is functional, you provide the user with key functional aspects such as readable fonts and headers, easy-to-click links and faster load times. There are a variety of free tools out there to help you assess whether your site will rank well or not. If you are optimising your SEO and web design efforts for Google, then take a look at these three key tools that are vital to all developers. Google’s mobile-friendly test allows you to simply enter in your website URL and run a quick check to determine if you site is mobile friendly. While this tool is great for seeing how Google ranks your site, it doesn’t provide any detail in the site’s strengths and weaknesses. Google’s page speed insights tool allows you to assess the load speed times of your site. As well as providing a score, it also provides detail into how you can go about fixing the page speed. Google’s webmaster tools mobile usability test shows you even more detail into the usability of your mobile site. With many great free resources, as well as many insightful blog posts, you too can get your mobile site optimized for your user. CakeDC provides both development and consulting services, ensuring that you are left with the best web application solution. If you are in need of a full scoped development project or are simply looking for guidance and expert knowledge for your application, CakeDC is the team to contact.

Tips for building custom apps

Sometimes all your website needs is a bit of added functionality and increased interactivity. Custom applications can make or break your user experience, here are some of the key things you should look out for when getting your custom applications developed. Consider tooltips to guide users Sometimes custom applications require certain actions from the user. Tooltips allow you to help the user along without cluttering the interface. Include progress notifications Tell the user if something has been processed successfully. Including feedback notifications such as “loading” or “please wait” can help your users understanding of your application. Keep familiar patterns and navigation within your application Users will find the experience of using your custom application if a similar navigation is used - keeping familiar patterns can be achieved through various methods such as keeping information in the same areas on every page. Keep pop-ups to a minimum or have none at all! Pop ups distract and interfere with a user's experience. Limit the use of these to a minimum - only including key and critical information if used. Ensure log-in or entry information simple and easy If your application requires a user to log in or provide certain information before accessing the content, it's important to keep this requirement simple. Having high entry barriers or information required can stop a user from actually using your application. Design your custom application for your target audience Who do you see as the ideal user of your application? Avoid technical jargon or unfamiliar terms or processes. Are you designing a shopping cart for users accustomed to online shopping? Then keep up-to-date with the latest best practices from top ecommerce sites and follow their lead. Are you looking for a custom application? Contact CakeDC, the experts behind CakePHP.  

Simplicity is important - here’s why

When it comes to web design, simplicity is not valued enough. Simplicity is important - but why? Simplicity reduces navigation confusion, makes the website look more sophisticated and can help in increasing site conversions (sign ups, contacts). All too often, web designers tend to miss the point of simplicity and over do the amount of information given on a single page - the need to get everything across at once can seriously hinder how much a website visitor is able take in. Over complicated pages can lead to higher than average bounce rates or lower on-page conversions. We thought we’d share with you some top tips to simplify your website.

  • Keep things along the 80-20 rule
    • Use the Pareto principle which is that 80% of the effects come from 20% of the causes. This means taking away as much as you can from your design that will not lead to any type of conversion. Take things back to the bare essentials and make those work properly
  • Embrace few colors in your theme
    • Does a monochrome color scheme work for you? If not, try out as few colors as possible. Work towards a design that requires less effort for your website visitor to process. Fewer colors will also give your site a sleek, classic look
  • Keep copy short and sweet
    • Embrace compelling copy but keep things shorter and to the point. Make your point quickly and keep things easy-to-read by sticking to a few key points. Use shorter sentences, and keep paragraphs to a maximum of 3-4 sentences for easy reading.
  • Fix your navigation
    • Often many sites have over complicated and lengthy navigation options. Remember to include navigation to your list of things to simplify today. Keep important and key pages in your navigation bar. Remove excess clutter and keep all navigation menus visible. Other key things to keep in mind is the use of universal icons as well as ensuring a sitemap in your footer - these are all standard items that visitors look for.

How Much Does it Cost to Design a Site?

If you are in the market for a website or application, it can sometimes be daunting. Being unsure of where to start, which development firm to use or how much the whole process is going to cost you can be truly overwhelming. And then there are those horror stories of others, who selected a developer based solely on cost (the cheapest quote perhaps) and ended up majorly down the hole with their budgets, while owning a unfinished website. Whether you are in the market for a website application with a specific outline and goal, or have a rough idea of what you need your application to do, how do you go about finding the best selection for you? And then how do you know that whoever you select is going to deliver what you want and in the time frame that you need it? And then, not knowing how to code yourself, you can land up frustrated at not understanding the process - especially if your development team gives you the runaround. At CakeDC, we are committed to a transparent workflow - we've created our own git workflow (MIT license) and we've used it successfully with our clients for 3+ years and dozens of projects. We use it to accelerate growth and innovation providing the highest quality application development. What sets CakeDC apart from others is that our experts listen closely to your needs. Second, we formulate a roadmap of milestones based on your specifications. Third, we offer guidance while delivering the highest quality results in a fraction of other developer’s time, by doing things The Right Way™ So how much is it going to cost you? Well this is of course dependent on what you project scope includes, however, we will work with you in determining the best package to suit your requirements. You can check out all of our rates and packages here. Ready to get your project started? Reach out to our experts today to see how easy it can be to get your application up and running.

What your website users are trying to ...

Every visitor to your website has a goal in mind - this may not be a conscious goal, but they are visiting your site for a reason. So listening to your users feedback is key to meeting their expectations! As a business owner, be sure to keep these in consideration and as a developer, be sure to pass these recommendations through to your clients. What are some things that users are trying to tell you and how do you find out? What and why is it Often people forget about the basics and fail to include what their product, service or business is. By excluding this vital information there will be users who will not know what the purpose of the page that they have stumbled upon is, but what to do next - and therefor bounce quickly off of your site. Where is your pricing information? If you are trying to sell something - a product or a service - be sure to include the price information as this is used by your visitor to determine their next action. Even if you are providing resources in return for their details, it is important to be clear. Where are those testimonials or reviews? Have others tried it People like to know that whatever they are investing money into is worth it - reviews or customer testimonials help to show your visitors what you can do. Be sure to add this information in a way that is easy for you visitors to find. Where can I sign up or contact you Another vital piece of information that many often forget is to let your visitors know how to signup and contact you. Perhaps you have chosen to hide your contact information due to spam bots or other issues faced, however, if you are in the business of recruiting clients, then be sure to have some form of contact information easily available to your visitors.
Not sure if you are missing anything? CakeDC, the experts behind CakePHP, offer a range of services including consulting, guiding you through the best practices with your CakePHP application.

Payment integration, E-commerce made easy

With ecommerce trending, it may be the next step for your business. However, it can seem daunting - so where do you start?   Starting with basics, you need a website that will serve as a platform for your products - a good starting point is key. Perhaps your website is up and running, but you aren’t happy with it - why not do a redesign at the same time as doing payment integration. Be sure to discuss your needs with your development team.   Next is to ensure your product list is up to date and aligned with your ecommerce goals. With the ecommerce industry becoming so competitive, it's important to stand out - both with your products as well as with the overall user experience.   So your products stand out on your website, things are looking good! But having a functional payment processor is key to making those sales! Here are some key tips to ask your development team today!  

  • Before considering technical aspects, take consideration of the payment processing fees but be sure to pick a provider that is trusted by customers
  • Reference check your selection of payment gateway with your development team, will they be comfortable integrating this third party service with your site or do they have an alternative solution
  • Are you selecting a payment gateway that has been certified as safe and secure? By choosing one that is popular and trusted with customers will keep you on track for this requirement.
  • Is the payment gateway capable of accepting different payment methods such as credit cards, debit cards and others
  • Where are you planning to sell geographically via your ecommerce store? Is your payment gateway compatible with this geographical location? Some payment gateways are limited to certain countries - be sure to double check this before implementing the integration.
  • Should you chose to scale your business in the future, will your payment gateway be able to grow with you?
  Just remember, that whatever you choose to do with your ecommerce site, your payment integration should be as secure and smooth as possible. Chat to the expert team behind CakePHP today, to discuss how we can take your ecommerce integration to the next level. CakeDC is here to lead, so you can lead.  

Launching your new site? Read this first!

As exciting as launching a brand new website is, there are a lot of expectations that can be built up around it. Here are some top tips to not fall into the easy traps of launching your website   Don’t be a perfectionist It can be easy for some people to take the perfectionist view point when launching a new site. Rather focus on launching your website to its best and get feedback from testing and website visitors.   Doing it all yourself With the launch of your new site, it's important to delegate - make sure you have a expert team behind you so that you can manage your business and end goals. CakeDC, the experts behind CakePHP, believe in this philosophy - we lead, so you can lead.   Create a launch plan, now! If you do not have a plan for your launch, then the time is now! With research and strategy building, your launch will have direction, while reaching the right audience. Write everything down and be sure to share it with your team.   Linking to all Social media platforms With social media becoming an important way to reach out and talk to potential clients, it is key to ensure that you link your social media accounts to your websites and visa versa.   Have you tested? Testing is another key part to the success of your new site’s launch. Be sure to not miss this step. Not sure how to properly test your site? Here’s a great checklist to check out. From how to test elements such as HTML, CSS, security and performance through to SEO and accessibility, this checklist will guide you along best practices when it comes to testing.   Relax and execute your plan Lasty, relax and execute your plan! The final step to your new site’s launch is rollout. Things should be set up and in place which allow you to roll out your launch with minimal hassle.   At CakeDC, our goal is to help you, as a business leader, develop, achieve and maintain your competitive leadership in your market. Contact us to find out more about how we can create your custom application today.

Do you ever code for free? Contributin...

If you have ever taken a moment to contribute to open source, then you would know that it can be quite rewarding. But perhaps you are involved in an open source community, but aren’t necessarily contributing - yet! Maybe you are too nervous to contribute or you make a list of excuses as to why you aren't able to commit the time.   If you aren’t contributing just yet, here are some great benefits to you to start today.   Meet others in the community who are interested in similar things The CakePHP Community is welcoming and warm - by getting involved in the forums, online chats or through other participation, you can get to know others with similar interests.   Finding mentors within the community Get to know the community by getting involved - is there someone in the community who you think does an amazing job doing what they do? Chat to them, learn from them. There are some incredible mentors in the open source world - and they are normally down to earth and approachable.   Grow your knowledge and skill set base By contributing to open source, it gives you the opportunity to practise your skills. Through community involvement, you will learn new ways of doing things or suggest ways to improve on how things are done.   Help others - sense of giving Find reward in helping others solve the problems that have been troubling them. Giving back to the community brings in many rewards and a sense of achievement can be gained by helping out.   And now you may be asking - but how do I start? Easy! Just go ahead and find some issues that you can help out with, or simply join the support forums around the community and answer some questions - people appreciate the help and you never know, you could find help by helping others!   At CakeDC, time is committed to open source contributions. From our open source plugins through to support on community platforms, CakeDC ensures that time is committed to ongoing community support.

Why free website builders are hinderin...

Perhaps you are budget conscious or you are not computer savvy, and website builders look appealing to you. When getting a website developed for your business, key questions to ask yourself include: can it be managed effectively; will you be able to drive your brand online; will it be safe and secure? While website builders may seem like a good option, it can cause your business harm. Here’s a look at some of the cons of website builders.   You do not own your website Should you choose to leave your website builder, the website you have designed and any elements remain the property of the builder. You will essentially need to start over. From your content through to your domain name, all of this may need to be given up (as you are not the owner).   Website URL is not fully customizable When making use of a website builder, you are limited to the options that are provided. Some website builders offer different tiers, depending on your monthly subscription fee, however, you may need or want to do something that is out of the standard template.   Use of templates and outdated coding practises The use of templates is standard when building a website using a website builder. However, the use of outdated, unresponsive and badly designed templates can seriously hamper your brand (and website’s) ability to speak to your potential clients. These templates can use clunky, old fashioned and simple design.   SEO can be problematic With only basic SEO tactics employed by website builders, caution needs to be taken! Lacking SEO functionality can hamper your website’s ability to be found by potential clients - not appearing in search results and a lack of visibility can be damaging to your business.   Options, such as 3rd party integrations, are not available If you are looking to integrate 3rd party options, then think again - with only a limited options available, the ones you may want could not be available. For some business owners, this realisation may come too late and only after the website has been established, leaving them caught in a bad situation.
  Customized website application solutions are the way to go if you want to properly represent your business online. From increased functionality options, to fully scalable solutions that will grow with you and your business. CakeDC, the experts behind CakePHP, can offer you solutions that will answer every problem you have previously encountered with cheaper and less secure development solutions.

Building an RBAC based application in ...

This is the second article about RBAC in CakePHP series (2/2). In our previous post we did a quick introduction to RBAC and how to setup CakeDC/Auth plugin in an example project, dealing with basic array based rules. Today we'll talk about how to debug rules, and provide complex Auth rules to check permissions. We'll also discuss how to encapsulate the rules logic into `Rules` classes, and how to deal with RBAC in big projects.  

Debugging rules

Notice when debug is enabled, a detailed trace of the matched rule allowing a given action is logged into debug.log For example: 2017-10-04 23:58:10 Debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"Categories","action":"index","role":"admin"} --> Rule matched {"role":"*","controller":"*","action":["index","view"],"allowed":true} with result = 1 This log could save you some time while debugging why a specific action is granted.

Callbacks for complex authentication rules

Let's imagine a more complex rule, for example, we want to block access to the articles/add action if the user has more than 3 articles already created. In this case we are going to use a callback to define at runtime the result of the allowed key in the rule. [ 'role' => '*', 'controller' => 'Articles', 'action' => 'add', 'allowed' => function (array $user, $role, \Cake\Http\ServerRequest $request) { $userId = $user['id'] ?? null; if (!$userId) { return false; } $articlesCount = \Cake\ORM\TableRegistry::get('Articles')->findByUserId($userId)->count(); return $articlesCount <= 3; } ],

Rules example

As previously discussed, we have the ability to create complex logic to check if a given role is allowed to access an action, but we could also extend this concept to define permission rules that affect specific users. One common use case is allowing the owner of the resource access to a restricted set of actions, for example the author of a given article could have access to edit and delete the entry. This case was so common that we've included a predefined Rule class you can use after minimal configuration. The final rule would be like this one: [ 'role' => '*', 'controller' => 'Articles', 'action' => ['edit', 'delete'], 'allowed' => new \CakeDC\Auth\Rbac\Rules\Owner(), ], The Owner rule will use by default the user_id field in articles table to match the logged in user id. You can customize the columns, and how the article id is extracted. This covers most of the cases where you need to identify the owner of a given row to assign specific permissions.

Other considerations

Permissions and big projects

Having permission rules in a single file could be a solution for small projects, but when they grow, it's usually hard to manage them. How could we deal with the complexity?
  • Break permission file into additional configuration files
  • Per role, usually a good idea when you have a different set of permissions per role. You can use the Configure class to append the permissions, usually having a defaults file with common permissions would be a good idea, then you can read N files, one per role to apply the specific permissions per role.
  • Per feature/plugin, useful when you have a lot of actions, and a small set of roles, or when the roles are mostly the same regarding permissions, with a couple changes between them. In this case you will define the rules in N files, each one covering a subset of the actions in your application, for example invoices.php file would add the pemissions to the Invoices plugin. In the case you work with plugins, keep in mind you could write the permission rules inside each plugin and share/distribute the rules if you reuse the plugin in other apps (as long as the other apps will have similar roles).
  • QA and maintenance
  • It's always a good idea to think about the complexity of testing the application based on the existing roles. Automated integration testing helps a lot, but if you are planning to have some real humans doing click through, each role will multiply the time to pass a full regression test on the release. Key question here is "Do we really need this role?"
  • Having a clear and documented permissions matrix file, with roles vs actions and either "YES" | "NO" | "RuleName" in the cell value will help a lot to understand if the given role should be allowed to access to a given action. If it's a CSV file it could be actually used to create a unit test and check at least the static permission rules.
  • Debugging and tracing is also important, for that reason we've included a trace feature in CakeDC/Auth that logs to debug.log the rule matched to allow/deny a specific auth check.

About performance

Performance "could" become an issue in the case you have a huge amount of rules, and some of them would require database access to check if they are matching. As a general recommendation, remember the following tips:
  • Rules are matched top to bottom
  • Try to leave the permission rules reading the database to the end of the file
  • Cache the commonly used queries, possibly the same query will be used again soon
  • Note cache invalidation is always fun, and could lead to very complex scenarios, keep it simple
  • If you need too much context and database interaction for a given rule, maybe the check should be done elsewhere. You could give some flexibility and get some performance in return

Last words

We've collected some notes about the implementation of a RBAC based system in CakePHP using our CakeDC/Auth plugin. As stated before, there are many other ways, but this is ours, worked well on several projects and we thought it was a good idea to share it with other members of the CakePHP community to expose a possible solution for their next project Authorization flavor. Please let us know if you use it, we are always improving on them - And happy to get issues and pull requests for our open source plugins. As part of our open source work in CakeDC, we maintain many open source plugins as well as contribute to the CakePHP Community. Reference

Building an RBAC based application in ...

This is the first post of a small series covering how to setup, organize and implement an RBAC based authorization system in CakePHP using the CakeDC/Auth Plugin. We'll cover the basic concepts, setup and implementation of the basic permission rules in part 1.

What does RBAC mean in this context?

We'll use RBAC as "Role Base Access Control", meaning your app will be using the following concepts to define who can access what:
  • "Who" is an existing user, mainly identified as his role in the system, such as an "admin" or "writer", etc.
  • "What" is a specific action in your application, identified as the associated routing params, for example ['controller' => 'Posts', 'action' => 'add'].
  • A permission in this context would be a link between who, and what.

Why not ACL?

ACL is a really good choice when your answer is 'yes' to any of the following questions:
  • Do we need to let users create new roles on the fly?
  • Do we need the roles to inherit permissions (tree structure)?
  • Do we need to assign permissions NOT based on controller actions? For example CRUD based permissions, checked on the model layer for each operation on a given row.
If your answer is yes, you should consider using cakephp/acl. It provides a very powerful, reliable and flexible way to configure your permissions, but with greater power comes a bigger maintenance burden, that is keeping the acl data in your tables. Specially if you have several environments to maintain, you'll need to write migrations to populate your acl tables, then create import/export scripts and utilities to reproduce permission issues from live environments, and so on. Not an impossible task, but could increase the complexity of your project in a significant way...

Setting up CakeDC/Auth

There are other plugins you could use, but this one will cover everything you'll need, so let's go. CakeDC/Auth usually comes installed from within CakeDC/Users (a complete solution covering many more features) but today we'll set it up alone. composer require cakedc/auth bin/cake plugin load CakeDC/Auth And last, but not least, add the RBAC Auth to the list of Authorize objects. Here is a working configuration based on the blog tutorial. We'll be using the blog tutorial described in the book as an example application Change AppController.php Auth related configuration to: $this->loadComponent('Auth', [ 'authorize' => ['CakeDC/Auth.SimpleRbac'], 'loginRedirect' => [ 'controller' => 'Articles', 'action' => 'index' ], 'logoutRedirect' => [ 'controller' => 'Pages', 'action' => 'display', 'home' ] ]); With this change, we'll be using only the rules defined in config/permissions.php file. If this file is not present, default permissions will be in place. Default permissions will grant access to admin role to all actions. To override permissions, you can copy the default permissions to your project and fix the rules: cp vendor/cakedc/auth/config/permissions.php config/ Then edit this file and check the provided examples and defaults.

Using CakeDC/Auth

The core of the RBAC system is the ability to define permission rules that will match one given role with the actions granted. Rules are defined in an array, but you can extend the AbstractProvider class to retrieve the rules from somewhere else (database?). By default, nothing will be granted. Rules are evaluated top to bottom. The first rule matched will stop the evaluation, and the authentication result will be provided by the value of the allowed key. Note we can use a callback to implement complex rules, or encapsulate the rules into classes that we could reuse across projects, like the Owner rule class provided. This is an example rule [ 'role' => '*', 'plugin' => 'CakeDC/Users', 'controller' => 'Users', 'action' => ['profile', 'logout'], ], We could read this rule as follows: "For any role, we grant access to actions 'profile' and 'logout' in the Users controller in plugin CakeDC/Users". Note default allowed value is true, we can use an array, or a string to determine the role, plugin, controller and action. We can also use * in the value to match anything or use * at the start of the key to match anything but the values, for example '*controller' => 'Users', would match all the controllers but 'Users'.

Simple Rules

As our first objective, we are going to grant access to all the index and view pages, using the rule [ 'role' => '*', 'controller' => '*', 'action' => ['index', 'view'], ],
Stay tuned for the second post, where we'll deal with complex rules, rule classes and implementation tips for complex applications...

Has your website been hacked? Learn mo...

If you have a website and have not made the necessary security precautions, then you may become victim to hacking.   Besides the obvious defacing that can take place once your website has fallen victim, here are some other signs you have been hacked:

  • Your website redirects to another site, not your own.
  • Google or Bing notifies you.
  • Your browser indicates that your site is not secure.
  • You notice a change in your website traffic, especially from different countries.
  So you’ve been hacked - what do you do? Where do you start?   We’ve put together a few things that you need to look into as soon as possible!  
  • Do you have a support team? Contact them!
In this situation, it is best to immediately contact your technical support - your web developers who have experience in how to handle these situations. From what to shut down, what to look for and where to check. Someone without the technical expertise to help you is going to have difficulty properly fixing things!  
  • Get together all of the information required for your support team
Your support team will need all the access information, so start putting this together - things they will need access to include your CMS; hosting provider and login details; web logs, FTP/sFTP access credentials as well as any back ups you may have. If you have never been hacked or do not have regular back ups running - here’s a good place to start.  
  • Temporarily take your website down
If you haven’t already done so, make sure to take your site down temporarily. While you are doing this, it is also important to check all your servers and computers for malware, spyware or trojans. And if you have a virtual server, it may be in the best interest to start over - some attacks leave software that may not be visible or you may not know what to look for.  
  • Change your passwords
Make sure to change your passwords! Not sure what to use? For the best security, make use of a password generator that includes both letters and numbers of more than 12.
  For expert development and consultation services, give CakeDC a call - we lead, so you can lead.

Forms! Tips to make yours better

With your website as such a powerful tool in reaching potential clients, can you afford to have forms that aren’t adequately bringing in conversions or leads?   If you are failing to get leads in, have you considered that your forms may be the problem? Here are some tips to getting your forms up to scratch.   Keep it simple Its key to keep your forms as easy as possible to submit - remove as many barriers as you can. Do you request excessive information, ask your user to login in order to submit their details or have a design that is over complicated and confusing? These are the things to look out for as they can act as deterrents to form submissions or lead conversions.   Fill out the form yourself, give it a test run! If you haven’t already, give your form a test run! How do you feel about filling out the required fields, how long does it take, what emotions would you feel if this wasn’t your website and your form? Take all of these points into consideration and see if there any adjustments that need to be made.   Reduce the number of fields There is no need to require 20 fields when submitting a form. Not only is it time consuming, but also unnecessary and frustrating to your user. Be sure to keep things to a minimum - if a user profile is required, ask them to fill this out later, once they have a feel for the benefits to them.   Is there motivation to submit the form? Are you looking for new leads or to build up your email database? Does the user have incentive to submit the form? Besides your basic contact us forms, there should ideally be other CTA’s or lead generation techniques at play. These could include access to white papers, reports or expert advice which may be offered up as ‘free’ should the user submit their details. Use the opportunity to capture as many leads as possible - and remember, users need a reason to submit their details to you.   Confirm the submission So a user has submitted their details, is there a confirmation message or page redirect? If not, you may be further frustrating your user - make sure to let them know that they have successfully submitted and you have received their information.   For expert development and consultation services, give CakeDC a call - we lead, so you can lead.  

Learn more about UX tracking metrics t...

With UX being a subjective, human and ever changing experience, it can be seen as difficult to track. However, there are some key tell-tale signs that you should be tracking in order to assess the overall user experience of your website.   Common metrics to use when tracking UX   1. Tracking how long it takes visitors to fill out your forms If your contact forms take too much time to fill in, your visitors or potential clients may get frustrated and fail to complete the form. Forms need to be simple, short and easy. Some tips to keeping forms user friendly and easy to fill in include:

  • keeping the number of fields as simple as possible,
  • Keeping the number of fields to as few as possible, there will be opportunity to ask for more information later on in the customer journey.
  • Testing your form yourself, if you struggle to fill out the fields during testing then you definitely need to relook it!
  • Add a confirmation page or message to let your user know that they have submitted successfully
  2. How many fields are skipped in submitted forms? Do you allow for optional fields in your forms? If you do, do you find a trend on certain fields not being submitted? These fields may be too much trouble for your users to fill in - remember, most visitors are lazy when needing to contact you. Make it as easy as possible but also, its important to ensure that you aren’t being too intrusive when requiring information in your forms. If it’s not ‘need to know’ information, then cut it from your form. These skipped fields give you a good idea as to what your user is thinking and feeling. Make sure to keep an eye on how your forms are submitted and what your users are subconsciously telling you.   3. Analyse your user experience with the use of heat maps Heatmaps give you the best view of the journey your visitors take when visiting your page. From where they are clicking to the amount of engagement a page gets and where. Simple things from users clicking your logo top of page to which links they view as engaging and click through to, these insights help you better optimise your page.      4. Collect feedback from customers and your customer service department Your customer service department is front facing - these are the people that will know what users are saying about your website and they are able to provide insights into where your UX issues. If you haven’t already - this is a great place to start your UX measurement and feedback journey.   If you need an expert to help you with your website, then give CakeDC a call. CakeDC - the experts behind CakePHP.  

Does your website suffer from these ch...

If you haven’t had a good hard look at your website in a while, now is the time to do so. You will probably find a few things that you’d like fixed. These are the most common challenges that websites fail to fix in time.   Content and technology that is out of date If you had your website built years ago, chances are that it is (severely) out of date. This leaves you vulnerable to security breaches amongst other things. Content is another part of your website that goes out of date, do a spring clean of your overall content and make sure everything listed on your site is still relevant and well organized.   No Call to action for your visitors Are you missing call-to-action triggers such as “Download”, “Contact Us”, “Get started” or “Sign up for free”. You may be losing valuable conversions by not encouraging visitors to engage with your content and brand. This is a quick and easy fix - ideally, you should be checking and updating this type of content regularly to keep abreast of website visitor trends.   Lack of branding It is important as a business owner to make your brand reliable and trustworthy, it is also important to make sure your website correctly displays your clear brand message. Who are you, what do you offer and what tone do you use to project your brand to your clients.   Traffic woes due to SEO troubles If you are not seeing good traffic onto your site, the main culprit may be poor SEO practices. Be sure to regularly check your analytics tracking and if you seeing poor traffic landing on your site then the next port-of-call is to suss out your SEO elements. These include title tags, headlines, content, alt tags, file names, meta descriptions. It is also important to make sure these all align to your key brand message and product offering. The best trick is to select a core group of relevant and related keywords and build your SEO strategy around these.   Websites that haven’t been optimised for mobile If you (or your development team) has failed to quality test the appearance of your site across devices, then you are probably in the majority of companies that are not optimised for mobile. The time is now! Mobile optimised sites are becoming more and more important to business strategy as consumers are no longer bound to only browsing via their computers or laptops. Be sure to check that you are following best practices when optimising for mobile, such as common menu icons and icon placements.   Not sure if your website needs an overhaul? Contact the experts behind CakeDC today to find out more about our development services as well as how we can help you become leaders. CakeDC - We lead, so you can lead.  

We Bake with CakePHP