CakeDC Blog

TIPS, INSIGHTS AND THE LATEST FROM THE EXPERTS BEHIND CAKEPHP

Working with CakePHP Authorization

As you may know, there are 2 new plugins "recently" (not so recently) added to deal with the concepts of Authentication and Authorization in your CakePHP applications.

Over the years, both Authentication and Authorization were managed in the Controller layer, via AuthComponent.  These 2 things usually grow in complexity

as your project grows too, making the AuthComponent a complex class dealing with many features at the same time.


One of the original ideas behind these new plugins was to refactor AuthComponent and create specific layers to handle:

  • Authentication: who are you?
  • Authorization: are you allowed?

We are going to explore the Authorization concepts in this article using a specific example:

Let's imagine we have some kind of game application where Users are going to manage Tournaments. The Users will be able to create new Tournaments, and join the Tournaments through a TournamentMemberships many to many association.

Other users won't have access to the Tournaments unless they are invited to play. Players of a Tournament can invite other Users to play. So, a quick list of the use cases we are going to cover below are:

  • /tournaments/add  any user can create a new Tournament
  • /tournaments/index  browse all joined tournaments
  • /tournaments/invite  only current Members can invite others, and only if the Tournament has not started yet

We are assuming Authorization step is done in our application and we have a logged in user available in our request.

At this point we'll also assume you've installed cakephp/authentication and cakephp/authorization and loaded both plugins.

Authorization does not impose restrictions  on when the authorization checks will be done, let's quickly examine the workflow and related classes for Authorization:

  • AuthorizationMiddleware is attached to your Application, and will ensure the Authorization will be checked somewhere while processing the request.
     The unauthorizedHandler config will allow you to define what to do if the request was not authorized for some reason.
  • At some point in your code, you'll need to call AuthorizationComponent, either to
    • skipAuthorization when you don't require any specific condition to authorize the operation. Example:

      // ... somewhere in your beforeFilter...

          if ($user->is_superadmin) {

              $this->Authentication->skipAuthorization();

          }

      // ...

    • authorize($resource, $action) when you need to check if a given user is allowed to do some action on a given resource. Note the resource must be an Object.


How Authorization checks are done?

  1. We start by checking the resource, it's an Object so we use a Resolver to map every resource with a given Policy. There are some common defaults, for example to map ORM classes.
  2. Once we get to a Policy class, we check the matching method, for example if the action is "invite" we would check the method canInvite(IdentityInterface $user, Tournament $tournament)

Configuration:

After the Authentication middleware, in your src/Application.php class, add the Authorization Middleware

           $authorizationService = new AuthorizationService(new OrmResolver());

            ...

            ->add(new AuthorizationMiddleware($authorizationService, [

                'unauthorizedHandler' => [

                    'className' => 'Authorization.Redirect',

                    'url' => '/users/login',

                    'queryParam' => 'redirectUrl',

                ],

            ]));

 

Note the $authorizationService is configured with one resolver to match the CakePHP typical ORM classes, like Entities or Queries. https://book.cakephp.org/authorization/2/en/policy-resolvers.html#using-ormresolver

 

Once the middleware is added, you'll need to ensure the Authorization is checked, or you'll get an  error?: "The request to / did not apply any authorization checks" .

The first step would be to skip authorization for all the controllers and actions, for example in beforeFilter callback that all Users are allowed to access.

About the previous Tournaments specific cases, we'll need to create a new Policy class including all the possible actions to be done, for example:
 

  • /tournaments/add

We need to create a new Policy for the Tournament Entity

file src/Policy/TournamentPolicy.php to define policies related to specific tournaments

class TournamentPolicy

{

    public function canAdd(IdentityInterface $user, Tournament $tournament)

    {

        // all users can create tournaments

        return true;

    }

}

file src/Controller/TournamentsController.php

// ...

    public function add()

    {

        $tournament = $this->Tournaments->newEmptyEntity();

        $this->Authorization->authorize($tournament);

        if ($this->request->is('post')) {

// ...

The call to $this->Authorization->authorize($tournament); will map the Tournament entity to the TournamentPolicy, by default the action is taken from the controller action, in this case "add" so we will need to define a canAdd() method. We allowed all Users to create Tournaments.

 

  • /tournaments/index

We'll need to create a new policy for the TournamentsTable, and additionally a scope method to filter the Tournaments based on the current User membership.

file src/Policy/TournamentsTablePolicy.php to define policies for the TournamentsTable

class TournamentsTablePolicy

{

    public function canIndex(IdentityInterface $user, Query $query)

    {

        // all users can browse tournaments

        return true;

    }

    public function scopeIndex(IdentityInterface $user, Query $query)

    {

        // scope to filter tournaments for a logged in user

        return $query->matching('TournamentMemberships', function (Query $q) use ($user) {

            return $q->where(['TournamentMemberships.user_id' => $user->get('id')]);

        });

    }

}

file src/Controller/TournamentsController.php

    public function index()

    {

        $query = $this->Tournaments->find();

        $this->Authorization->authorize($query);

        $tournaments = $this->paginate($this->Authorization->applyScope($query));

 

        $this->set(compact('tournaments'));

    }
 

  • /tournaments/invite

file src/Policy/TournamentPolicy.php to define policies related to specific tournaments

// ...

    public function canInvite(IdentityInterface $user, Tournament $tournament)

    {

        return TableRegistry::getTableLocator()->get('TournamentMemberships')

            ->exists([

                'user_id' => $user->get('id'),

                'tournament_id' => $tournament->get('id'),

            ]);

    }

// ...

file src/Controller/TournamentsController.php

// ...

    public function invite($tournamentId, $userId)

    {

        $tournament = $this->Tournaments->get($tournamentId);

        $this->Authorization->authorize($tournament);

// ...

 

In this case, we need to check if the logged in User is already a member of the TournamentMemberships group, if so, we are allowed to invite another user.

As you can see, Authorization plugin will provide a flexible way to manage your application permissions.   In the previous examples we've covered typical application use cases to handle permissions per resource and action. New classes and interfaces, like policies, resolvers and mappers will allow you to configure the Authorization and ensure all the resources in your application will provide the required permissions.

If you're looking for RBAC based on your controller actions, take a look at https://github.com/CakeDC/auth/blob/master/Docs/Documentation/Authorization.md

For additional tools and plugins, check https://github.com/FriendsOfCake/awesome-cakephp#authentication-and-authorization

 

Latest articles

Why Use CakePHP

CakePHP  is a web development framework running on PHP. CakePHP provides tools to help build websites and web apps faster, stable and very easy to maintain. We will outline some of the interesting features of the CakePHP framework below:

Authorization

The authorization layer is in charge of determining if a user is able to access a feature or not. Authorization in CakePHP may be as complex as you want. It is powerful because you can define permissions per role, ownership, or anything else by just writing a policy.  In CakePHP 4, the Authorization layer is part of another package, which means that it can be used in a non-CakePHP app.

MVC Support

The layers in CakePHP are very explicit. Firstly, you will see that the application has specific folders for each layer (Model, Controller, Template). Secondly, you are encouraged to not access layers incorrectly, because the right way is simple enough. After using multiple frameworks out of there, I can say that CakePHP implements MVC and it implements it well.

Bake

Bake is not something new in CakePHP 4. It has been included with Cake since version 0.1.0 and even now when it is released as a plugin, it is a required tool for any developer. Bake makes generating an application, controllers, models and everything else easier... just running a command and within minutes. Other frameworks may have some tools, but in my opinion, there is nothing like bake.

Database Migration

Database migrations with CakePHP are simple, quick and safe. Those are probably the only three things you look for when versioning your database. MigrateShell can be used to generate migrations and you are able to alter database structure in any way, as well as running queries/commands. The CakePHP team is also responsible for Phinx plugin development.

Multi Language Support

This is another old feature that has been in CakePHP for years and has been recently improved in CakePHP 4. I must say that we have not found any other framework with the same set of features for internationalization and localization. You only need to use the translation function for any strings [__()] and define a way to set the language in your app. After doing that, just extract PO files using the shell and start translating your strings.

Powerful ORM

ORM in CakePHP 4 is able to do anything you can imagine. Simple and complex queries have an easy way to be executed using ORM functions. Joins, grouping, subqueries can be done in just minutes. Even after working in complex reporting for several clients, we have not found something that cannot be done through CakePHP ORM.

PHP Standards 

Going back to previous CakePHP versions (1.x and <2.x) we found that they implemented their own standard, which was good if you only worked with CakePHP... but it made integrating external libraries more difficult. In CakePHP 4, as well as 3.x, it is not a problem anymore because the wonderful CakePHP team is aware of the latest standards for the language and they are implemented inside the core... as well as the libraries released around it. It allows you to use any PHP library or package inside your Cake application.  I could go on all day about features that I like about the CakePHP framework, but there's more blogs to write in the future. I hope this gives you some incentive to use it.  

Managing A Company During A Global Pandemic

A worldwide pandemic is not something a company, a manager, or a team ever plans for. This time 6 months ago we were bringing in more clients than anticipated, and planning for an international conference. Fast forward to now, just like most companies we have been hit, our conference has gone virtual, and many employees are still worried about what is to come.  Here are 5 things I have learned during these uncertain times:  

1. Don’t panic. 

Easier said than done, right? Being responsible for a team of great people and their financial, as well as professional, well being can be trying at times. I have learned it is best to stay calm, push forward and still do the best we can, even when our best isn’t always enough. Luckily, I am not a worrier by nature, and I hope that I can be a solid backbone for my team and clients, while letting them know that they (and our company) are my top priority … now more than ever.   

2. Be transparent

It is best to have sure answers and knowledge of what is expected, and to be open and honest about this with the team. If we are going to be working longer hours one week, maybe shorter the next, I want to be upfront so that no one is caught off guard. If policies or procedures are changing, they are notified immediately   Same thing goes for our clients, we have always prided ourselves on being honest and transparent about the behind the scene scenarios. It may not always be good news that’s delivered, but it will be honest. I have set goals to make my expectations clear, and reasonable.   

3. Be available:

Someone like myself, I am always going in a million directions. I have made it a point to make myself available for help, support, or whatever it is that someone may need. This goes for  clients, team members, even friends.  A pandemic like this really makes you step back and think about what is important, and things that you may not have made priorities in the past that needed to change. Our team is used to working remotely, but we communicate daily, and we always have open lines of communication (sometimes in the middle of the night as we all work in different time zones.  

4. Be Understanding

If 2020 has taught us anything, it’s to expect the unexpected. It is vital that each individual understands that not everyone is the same. We do not handle stress the same, we go through trials and tribulations differently, so it is important to be empathetic. We need to provide tools for success... and sometimes that means paid time off, new communication platforms, team building exercises, or just listening and being compassionate. I think a mistake a lot of people made early on was expecting everyone to adjust to the new way of life, with no clear direction. This resulted in a lot of confusion, and negativity, instead of learning together and changing the course of action. 
 

5. Surround yourself with a great team. 

Luckily for me, our team is fully functional without me, maybe that should scare me a little, huh? We have structure, we built up trust with each other, and everyone works towards the same goal - being successful, delivering to our clients, and growing together. While it may be my job to keep everyone moving forward and be motivating, it’s no secret that they motivate me, too. Despite working in different countries, our team has built great relationships with each other, and everyone is ready to step in and help their colleagues whenever necessary. 
 

Final thoughts

Has 2020 been different than I imagined? Absolutely. We do not know the answers to every question. We also do not know where this year may take our team, the company, or the world! One thing I do know is we will adapt, adjust and keep pushing forward. We will keep providing the best service to our clients as we always have, and we will not panic…. Not yet at least. 
 

A Quick CakePHP Local Environment With Docker

CakePHP and Docker

We all know that while developing a CakePHP software, we need to have a local environment with PHP, HTTP Server (nginx, apache) and a database (MySql, Postgres, Mongodb, etc). Installing those tools directly to your system is the basic way, but it can become a bit tricky when we have multiple projects using different versions of those tools... that’s where Docker will help us. In this article, we will show a quick docker setup to improve our CakePHP local environment. If you don’t have docker installed go to: https://docs.docker.com/get-docker/. It is available for Linux, MacOS and Windows. For our setup we are going to use PHP, Nginx, and Mysql. All of the information required will be added to a new file named docker-compose.yml. In our environment we will need two docker images [https://docs.docker.com/engine/reference/commandline/images/], one image for php + nginx and one for mysql.   

Setup Nginx + PHP service

Create the file  docker-compose.yml inside your application with this:    version: "3.1" services:   php-fpm:     image: webdevops/php-nginx:7.4     container_name: myapp-webserver     working_dir: /app     volumes:       - ./:/app     environment:       - WEB_DOCUMENT_ROOT=/app/webroot     ports:       - "80:80"   Now,we have a service named php-fpm, which is able to run php 7.4 and nginx at port 80 pointing to our webroot dir. Important note: the container_name must be unique in your system.   

Setup MySql service

Our MySql service requires a username, password and database name. For this, we are going to create the file mysql.env (don’t use a weak password in production, you could share a mysql.env.default file with your team) with this content:   MYSQL_ROOT_PASSWORD=password MYSQL_DATABASE=my_app MYSQL_USER=my_user MYSQL_PASSWORD=password   Now, at the end of docker-compose.yml , add this:      mysql:     image: mysql:5.6     container_name: myapp-mysql     working_dir: /app     volumes:       - .:/app       - ./tmp/data/mysql_db:/var/lib/mysql     env_file:       - mysql.env     command: mysqld --character-set-server=utf8 --init-connect='SET NAMES UTF8;'     ports:       - "3306:3306"   Before we start this service, lets add the service for our database, include this at the end of the file:  docker-compose.yml . You’ll see that we have - ./tmp/data/mysql_db:/var/lib/mysql, this allows us to persist mysql data. Now we also have a service named mysql with one empty database named my_app and a user name my_user.
 

Starting the services and app configuration

Before we continue, make sure that you don’t have any other http server or mysql server running. Now that we have finished our docker-compose.yml  we can execute docker-compose up to start the services and access the app at http://localhost. The next thing you need to do is update your database configuration with the correct credentials - the host is the service name, in our case it is “mysql”:   'host' => ‘mysql’,             'username' => 'my_user',             'password' => ‘password’,             'database' => 'my_app',   That’s it! Now we have a working local environment for our CakePHP app. We can now access the services using docker-compose exec php-fpm bash  and docker-compose exec mysql bash.  The files mentioned here (docker-compose.yml and mysql.env) can be found at  https://gist.github.com/CakeDCTeam/263a65336a85baab2667e08c907bfff6.  

The icing on the cake

Going one step further, we could add some alias (with linux) to make it even easier. Let’s add these lines at the end of your ~/.bashrc file:   alias cake="docker-compose exec -u $(id -u ${USER}):$(id -g ${USER}) php-fpm bin/cake" alias fpm="docker-compose exec -u $(id -u ${USER}):$(id -g ${USER}) php-fpm" alias composer="docker-compose exec -u $(id -u ${USER}):$(id -g ${USER}) php-fpm composer"   With those entries, instead of typing docker-compose exec php-fpm bin/cake, we can just type cake. The other two aliases are for composer and bash. Notice that we have ${USER}? This will ensure that we are using the same user inside the services.  

Additional information

Normally docker images allow us to customize the service, for webdevops/php-nginx:7.4 - you can check more information at: https://dockerfile.readthedocs.io/en/latest/content/DockerImages/dockerfiles/php-nginx.html and for mysql check: https://hub.docker.com/_/mysql . You can find more images at: https://hub.docker.com/. If you are not familiar with docker, take a look at: https://docs.docker.com/get-started/overview/, as this documentation provides good information.   Hope you have enjoyed this article and will take advantage of docker while working in your CakePHP application.  

We Bake with CakePHP