So I have a case where I have one action that will (based on some conditions) flip over to another action in the same controller.
Now the initial action is allowed to people with a given role (coaches or trainers), but a subsequent action is only allowed to coaches.
However, because they’re not accessing the second action directly, (only via the intermediary action) the Auth Component doesn’t prevent it from firing. Here’s some code:
public function isAuthorized($user) {
switch($this->action) {
case "bulkAction":
if ($user['role'] == ('coach' || 'trainer') ) {
return true;
}
break;
case "bulkDelete":
if ($user['role'] == 'coach') {
return true;
}
break;
}
return parent::isAuthorized($user);
}
public function bulkAction() {
switch($this->request->data['Action']) {
case "delete":
$this->bulkDelete();
break;
}
}
So again, when bulkAction sends data over to the bulkDelete action, Auth seems to be completely bypassed, and the action goes through. How can I make sure that actions called by other actions are still checked against the controller’s isAuthorized callback?
First off one action calling another is really bad design and should not be done. All your users should be calling only the bulkAction($type = null) action. Use the argument $type to specify the type. So your urls would be like /foo/bulkAction/edit /foo/bulkAction/delete etc. and your $type param will receive the value “edit”, “delete” etc. Make various protected methods in the controller which contain functionality for each type and call them as needed through your bulkAction. Then in your isAuthorised() method return true or false by checking the user role and the type which will be available in $this->request->params[‘passed’]. Instead of using param for the action you can also use named params if you like, so the action will be use bulkAction() and your urls would be like /foo/bulkAction/type:delete. In this case you can get the type using $this->request->params[‘named’].