CakePHP
  • Documentation
    • Book
    • API
    • Videos
    • Reporting Security Issues
    • Privacy Policy
    • Logos & Trademarks
  • Business Solutions
  • Swag
  • Road Trip
  • Team
  • Community
    • Community
    • Get Involved
    • Issues (Github)
    • Bakery
    • Featured Resources
    • Training
    • Meetups
    • My CakePHP
    • CakeFest
    • Newsletter
    • Linkedin
    • YouTube
    • Facebook
    • Twitter
    • Mastodon
    • Help & Support
    • Forum
    • Stack Overflow
    • IRC
    • Slack
    • Paid Support
CakePHP

C CakePHP 3.0 Red Velvet API

  • Project:
    • CakePHP
      • CakePHP
      • Chronos
      • Elastic Search
      • Queue
  • Version:
    • 3.0
      • 5.1
      • 5.0
      • 4.5
      • 4.4
      • 4.3
      • 4.2
      • 4.1
      • 4.0
      • 3.10
      • 3.9
      • 3.8
      • 3.7
      • 3.6
      • 3.5
      • 3.4
      • 3.3
      • 3.2
      • 3.1
      • 3.0
      • 2.10
      • 2.9
      • 2.8
      • 2.7
      • 2.6
      • 2.5
      • 2.4
      • 2.3
      • 2.2
      • 2.1
      • 2.0
      • 1.3
      • 1.2

Namespaces

  • Global
  • Cake
    • Auth
    • Cache
    • Collection
    • Console
    • Controller
      • Component
      • Exception
    • Core
    • Database
    • Datasource
    • Error
    • Event
    • Filesystem
    • Form
    • I18n
    • Log
    • Network
    • ORM
    • Routing
    • Shell
    • TestSuite
    • Utility
    • Validation
    • View

Class AuthComponent

Authentication control component class

Binds access control with user authentication and session management.

Namespace: Cake\Controller\Component
Link: http://book.cakephp.org/3.0/en/controllers/components/authentication.html

Constants

  • string
    ALL ¶ 
    'all'

    Constant for 'all'

Property Summary

  • $_authenticateObjects protected
    array

    Objects that will be used for authentication checks.

  • $_authenticationProvider protected
    Cake\Auth\BaseAuthenticate

    The instance of the Authenticate provider that was used for successfully logging in the current user after calling login() in the same request

  • $_authorizationProvider protected
    Cake\Auth\BaseAuthorize

    The instance of the Authorize provider that was used to grant access to the current user to the url they are requesting.

  • $_authorizeObjects protected
    array

    Objects that will be used for authorization checks.

  • $_componentMap protected
    array

    A component lookup table used to lazy load component objects.

  • $_config protected
    array

    Runtime config

  • $_configInitialized protected
    bool

    Whether the config property has already been configured with defaults

  • $_defaultConfig protected
    array

    Default config

  • $_eventClass protected
    string

    Default class name for new event objects.

  • $_eventManager protected
    Cake\Event\EventManager

    Instance of the Cake\Event\EventManager this object is using to dispatch inner events.

  • $_registry protected
    Cake\Controller\ComponentRegistry

    Component registry class used to lazy load components.

  • $_user protected
    array

    The current user, used for stateless authentication when sessions are not available.

  • $allowedActions public
    array

    Controller actions for which user validation is not required.

  • $components public
    array

    Other components utilized by AuthComponent

  • $request public
    Cake\Network\Request

    Request object

  • $response public
    Cake\Network\Response

    Response object

  • $session public
    Cake\Network\Session

    Instance of the Session object

  • $sessionKey public
    string

    The session key name where the record of the current user is stored. Default key is "Auth.User". If you are using only stateless authenticators set this to false to ensure session is not started.

Method Summary

  • __construct() public

    Constructor

  • __debugInfo() public

    Returns an array that can be used to describe the internal state of this object.

  • __get() public

    Magic method for lazy loading $components.

  • _configDelete() protected

    Delete a single config key

  • _configRead() protected

    Read a config variable

  • _configWrite() protected

    Write a config variable

  • _getUser() protected

    Similar to AuthComponent::user() except if the session user cannot be found, connected authentication objects will have their getUser() methods called. This lets stateless authentication methods function correctly.

  • _isAllowed() protected

    Checks whether current action is accessible without authentication.

  • _isLoginAction() protected

    Normalizes config loginAction and checks if current request URL is same as login action.

  • _setDefaults() protected

    Sets defaults for configs.

  • _unauthenticated() protected

    Handles unauthenticated access attempt. First the unauthenticated() method of the last authenticator in the chain will be called. The authenticator can handle sending response or redirection as appropriate and return true to indicate no further action is necessary. If authenticator returns null this method redirects user to login action. If it's an AJAX request and config ajaxLogin is specified that element is rendered else a 403 HTTP status code is returned.

  • _unauthorized() protected

    Handle unauthorized access attempt

  • allow() public

    Takes a list of actions in the current controller for which authentication is not required, or no parameters to allow all actions.

  • authenticationProvider() public

    If login was called during this request and the user was successfully authenticated, this function will return the instance of the authentication object that was used for logging the user in.

  • authorizationProvider() public

    If there was any authorization processing for the current request, this function will return the instance of the Authorization object that granted access to the user to the current address.

  • config() public

    Usage

  • configShallow() public

    Merge provided config with existing config. Unlike config() which does a recursive merge for nested keys, this method does a simple merge.

  • constructAuthenticate() public

    Loads the configured authentication objects.

  • constructAuthorize() public

    Loads the authorization objects configured.

  • deny() public

    Removes items from the list of allowed/no authentication required actions.

  • dispatchEvent() public

    Wrapper for creating and dispatching events.

  • eventManager() public

    Returns the Cake\Event\EventManager manager instance for this object.

  • flash() public

    Set a flash message. Uses the Flash component with values from flash config.

  • getAuthenticate() public

    Getter for authenticate objects. Will return a particular authenticate object.

  • getAuthorize() public

    Getter for authorize objects. Will return a particular authorize object.

  • identify() public

    Use the configured authentication adapters, and attempt to identify the user by credentials contained in $request.

  • implementedEvents() public

    Events supported by this component.

  • initialize() public

    Initialize properties.

  • isAuthorized() public

    Check if the provided user is authorized for the request.

  • log() public

    Convenience method to write a message to Log. See Log::write() for more information on writing to logs.

  • logout() public

    Log a user out.

  • redirectUrl() public

    Get the URL a user should be redirected to upon login.

  • setUser() public

    Set provided user info to session as logged in user.

  • startup() public

    Main execution method. Handles redirecting of invalid users, and processing of login form data.

  • user() public

    Get the current user.

Method Detail

__construct() ¶ public 

__construct(ComponentRegistry $registry, array $config = [])

Constructor

Parameters
ComponentRegistry $registry

A ComponentRegistry this component can use to lazy load its components

array $config optional

Array of configuration settings.

__debugInfo() ¶ public 

__debugInfo(): array

Returns an array that can be used to describe the internal state of this object.

Returns
array

__get() ¶ public 

__get(string $name): mixed

Magic method for lazy loading $components.

Parameters
string $name

Name of component to get.

Returns
mixed

_configDelete() ¶ protected 

_configDelete(string $key): void

Delete a single config key

Parameters
string $key

Key to delete.

Returns
void
Throws
Cake\Core\Exception\Exception
if attempting to clobber existing config

_configRead() ¶ protected 

_configRead(string|null $key): mixed

Read a config variable

Parameters
string|null $key

Key to read.

Returns
mixed

_configWrite() ¶ protected 

_configWrite(string|array $key, mixed $value, bool|string $merge = false): void

Write a config variable

Parameters
string|array $key

Key to write to.

mixed $value

Value to write.

bool|string $merge optional

True to merge recursively, 'shallow' for simple merge, false to overwrite, defaults to false.

Returns
void
Throws
Cake\Core\Exception\Exception
if attempting to clobber existing config

_getUser() ¶ protected 

_getUser(): bool

Similar to AuthComponent::user() except if the session user cannot be found, connected authentication objects will have their getUser() methods called. This lets stateless authentication methods function correctly.

Returns
bool

_isAllowed() ¶ protected 

_isAllowed(Cake\Controller\Controller $controller): bool

Checks whether current action is accessible without authentication.

Parameters
Cake\Controller\Controller $controller

A reference to the instantiating controller object

Returns
bool

_isLoginAction() ¶ protected 

_isLoginAction(Cake\Controller\Controller $controller): bool

Normalizes config loginAction and checks if current request URL is same as login action.

Parameters
Cake\Controller\Controller $controller

A reference to the controller object.

Returns
bool

_setDefaults() ¶ protected 

_setDefaults(): void

Sets defaults for configs.

Returns
void

_unauthenticated() ¶ protected 

_unauthenticated(Cake\Controller\Controller $controller): voidCake\Network\Response

Handles unauthenticated access attempt. First the unauthenticated() method of the last authenticator in the chain will be called. The authenticator can handle sending response or redirection as appropriate and return true to indicate no further action is necessary. If authenticator returns null this method redirects user to login action. If it's an AJAX request and config ajaxLogin is specified that element is rendered else a 403 HTTP status code is returned.

Parameters
Cake\Controller\Controller $controller

A reference to the controller object.

Returns
voidCake\Network\Response

_unauthorized() ¶ protected 

_unauthorized(Cake\Controller\Controller $controller): Cake\Network\Response

Handle unauthorized access attempt

Parameters
Cake\Controller\Controller $controller

A reference to the controller object

Returns
Cake\Network\Response
Throws
Cake\Network\Exception\ForbiddenException

allow() ¶ public 

allow(string|array $actions = null): void

Takes a list of actions in the current controller for which authentication is not required, or no parameters to allow all actions.

You can use allow with either an array or a simple string.

$this->Auth->allow('view');
$this->Auth->allow(['edit', 'add']);

or to allow all actions

$this->Auth->allow();
Parameters
string|array $actions optional

Controller action name or array of actions

Returns
void
Links
http://book.cakephp.org/3.0/en/controllers/components/authentication.html#making-actions-public

authenticationProvider() ¶ public 

authenticationProvider(): Cake\Auth\BaseAuthenticate|null

If login was called during this request and the user was successfully authenticated, this function will return the instance of the authentication object that was used for logging the user in.

Returns
Cake\Auth\BaseAuthenticate|null

authorizationProvider() ¶ public 

authorizationProvider(): Cake\Auth\BaseAuthorize|null

If there was any authorization processing for the current request, this function will return the instance of the Authorization object that granted access to the user to the current address.

Returns
Cake\Auth\BaseAuthorize|null

config() ¶ public 

config(string|array|null $key = null, mixed|null $value = null, bool $merge = true): mixed

Usage

Reading the whole config:

$this->config();

Reading a specific value:

$this->config('key');

Reading a nested value:

$this->config('some.nested.key');

Setting a specific value:

$this->config('key', $value);

Setting a nested value:

$this->config('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->config(['one' => 'value', 'another' => 'value']);
Parameters
string|array|null $key optional

The key to get/set, or a complete array of configs.

mixed|null $value optional

The value to set.

bool $merge optional

Whether to recursively merge or overwrite existing config, defaults to true.

Returns
mixed
Throws
Cake\Core\Exception\Exception
When trying to set a key that is invalid.

configShallow() ¶ public 

configShallow(string|array $key, mixed|null $value = null): $this

Merge provided config with existing config. Unlike config() which does a recursive merge for nested keys, this method does a simple merge.

Setting a specific value:

$this->config('key', $value);

Setting a nested value:

$this->config('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->config(['one' => 'value', 'another' => 'value']);
Parameters
string|array $key

The key to set, or a complete array of configs.

mixed|null $value optional

The value to set.

Returns
$this

constructAuthenticate() ¶ public 

constructAuthenticate(): mixed

Loads the configured authentication objects.

Returns
mixed
Throws
Cake\Core\Exception\Exception

constructAuthorize() ¶ public 

constructAuthorize(): mixed

Loads the authorization objects configured.

Returns
mixed
Throws
Cake\Core\Exception\Exception

deny() ¶ public 

deny(string|array $actions = null): void

Removes items from the list of allowed/no authentication required actions.

You can use deny with either an array or a simple string.

$this->Auth->deny('view');
$this->Auth->deny(['edit', 'add']);

or

$this->Auth->deny();

to remove all items from the allowed list

Parameters
string|array $actions optional

Controller action name or array of actions

Returns
void
See Also
AuthComponent::allow()
Links
http://book.cakephp.org/3.0/en/controllers/components/authentication.html#making-actions-require-authorization

dispatchEvent() ¶ public 

dispatchEvent(string $name, array|null $data = null, object|null $subject = null): Cake\Event\Event

Wrapper for creating and dispatching events.

Returns a dispatched event.

Parameters
string $name

Name of the event.

array|null $data optional

Any value you wish to be transported with this event to it can be read by listeners.

object|null $subject optional

The object that this event applies to ($this by default).

Returns
Cake\Event\Event

eventManager() ¶ public 

eventManager(Cake\Event\EventManager|null $eventManager = null): Cake\Event\EventManager

Returns the Cake\Event\EventManager manager instance for this object.

You can use this instance to register any new listeners or callbacks to the object events, or create your own events and trigger them at will.

Parameters
Cake\Event\EventManager|null $eventManager optional

the eventManager to set

Returns
Cake\Event\EventManager

flash() ¶ public 

flash(string $message): void

Set a flash message. Uses the Flash component with values from flash config.

Parameters
string $message

The message to set.

Returns
void

getAuthenticate() ¶ public 

getAuthenticate(string $alias): Cake\Auth\BaseAuthenticate|null

Getter for authenticate objects. Will return a particular authenticate object.

Parameters
string $alias

Alias for the authenticate object

Returns
Cake\Auth\BaseAuthenticate|null

getAuthorize() ¶ public 

getAuthorize(string $alias): Cake\Auth\BaseAuthorize|null

Getter for authorize objects. Will return a particular authorize object.

Parameters
string $alias

Alias for the authorize object

Returns
Cake\Auth\BaseAuthorize|null

identify() ¶ public 

identify(): array

Use the configured authentication adapters, and attempt to identify the user by credentials contained in $request.

Triggers Auth.afterIdentify event which the authenticate classes can listen to.

Returns
array

implementedEvents() ¶ public 

implementedEvents(): array

Events supported by this component.

Uses Conventions to map controller events to standard component callback method names. By defining one of the callback methods a component is assumed to be interested in the related event.

Override this method if you need to add non-conventional event listeners. Or if you want components to listen to non-standard events.

Returns
array

initialize() ¶ public 

initialize(array $config): void

Initialize properties.

Implement this method to avoid having to overwrite the constructor and call parent.

Parameters
array $config

The config data.

Returns
void

isAuthorized() ¶ public 

isAuthorized(array|null $user = null, Cake\Network\Request|null $request = null): bool

Check if the provided user is authorized for the request.

Uses the configured Authorization adapters to check whether or not a user is authorized. Each adapter will be checked in sequence, if any of them return true, then the user will be authorized for the request.

Parameters
array|null $user optional

The user to check the authorization of. If empty the user in the session will be used.

Cake\Network\Request|null $request optional

The request to authenticate for. If empty, the current request will be used.

Returns
bool

log() ¶ public 

log(mixed $msg, int|string $level = LogLevel::ERROR, string|array $context = []): bool

Convenience method to write a message to Log. See Log::write() for more information on writing to logs.

Parameters
mixed $msg

Log message.

int|string $level optional

Error level.

string|array $context optional

Additional log data relevant to this message.

Returns
bool

logout() ¶ public 

logout(): string

Log a user out.

Returns the logout action to redirect to. Triggers the Auth.logout event which the authenticate classes can listen for and perform custom logout logic. AuthComponent will remove the session data, so there is no need to do that in an authentication object. Logging out will also renew the session id. This helps mitigate issues with session replays.

Returns
string
Links
http://book.cakephp.org/3.0/en/controllers/components/authentication.html#logging-users-out

redirectUrl() ¶ public 

redirectUrl(string|array $url = null): string

Get the URL a user should be redirected to upon login.

Pass a URL in to set the destination a user should be redirected to upon logging in.

If no parameter is passed, gets the authentication redirect URL. The URL returned is as per following rules:

  • Returns the normalized URL from session Auth.redirect value if it is present and for the same domain the current app is running on.
    • If there is no session value and there is a config loginRedirect, the loginRedirect value is returned.
    • If there is no session and no loginRedirect, / is returned.
Parameters
string|array $url optional

Optional URL to write as the login redirect URL.

Returns
string

setUser() ¶ public 

setUser(array $user): void

Set provided user info to session as logged in user.

The user record is written to the session key specified in AuthComponent::$sessionKey. The session id will also be changed in order to help mitigate session replays.

Parameters
array $user

Array of user data.

Returns
void
Links
http://book.cakephp.org/3.0/en/controllers/components/authentication.html#identifying-users-and-logging-them-in

startup() ¶ public 

startup(Cake\Event\Event $event): voidCake\Network\Response

Main execution method. Handles redirecting of invalid users, and processing of login form data.

Parameters
Cake\Event\Event $event

The startup event.

Returns
voidCake\Network\Response

user() ¶ public 

user(string $key = null): array|null

Get the current user.

Will prefer the user cache over sessions. The user cache is primarily used for stateless authentication. For stateful authentication, cookies + sessions will be used.

Parameters
string $key optional

field to retrieve. Leave null to get entire User record

Returns
array|null
Links
http://book.cakephp.org/3.0/en/controllers/components/authentication.html#accessing-the-logged-in-user

Property Detail

$_authenticateObjects ¶ protected

Objects that will be used for authentication checks.

Type
array

$_authenticationProvider ¶ protected

The instance of the Authenticate provider that was used for successfully logging in the current user after calling login() in the same request

Type
Cake\Auth\BaseAuthenticate

$_authorizationProvider ¶ protected

The instance of the Authorize provider that was used to grant access to the current user to the url they are requesting.

Type
Cake\Auth\BaseAuthorize

$_authorizeObjects ¶ protected

Objects that will be used for authorization checks.

Type
array

$_componentMap ¶ protected

A component lookup table used to lazy load component objects.

Type
array

$_config ¶ protected

Runtime config

Type
array

$_configInitialized ¶ protected

Whether the config property has already been configured with defaults

Type
bool

$_defaultConfig ¶ protected

Default config

  • authenticate - An array of authentication objects to use for authenticating users. You can configure multiple adapters and they will be checked sequentially when users are identified.
  $this->Auth->config('authenticate', [
     'Form' => [
        'userModel' => 'Users.Users'
     ]
  ]);

Using the class name without 'Authenticate' as the key, you can pass in an array of config for each authentication object. Additionally you can define config that should be set to all authentications objects using the 'all' key:

  $this->Auth->config('authenticate', [
      AuthComponent::ALL => [
         'userModel' => 'Users.Users',
         'scope' => ['Users.active' => 1]
     ],
    'Form',
    'Basic'
  ]);
  • authorize - An array of authorization objects to use for authorizing users. You can configure multiple adapters and they will be checked sequentially when authorization checks are done.
  $this->Auth->config('authorize', [
     'Crud' => [
         'actionPath' => 'controllers/'
     ]
  ]);

Using the class name without 'Authorize' as the key, you can pass in an array of config for each authorization object. Additionally you can define config that should be set to all authorization objects using the AuthComponent::ALL key:

  $this->Auth->config('authorize', [
     AuthComponent::ALL => [
         'actionPath' => 'controllers/'
     ],
     'Crud',
     'CustomAuth'
  ]);

  • ajaxLogin - The name of an optional view element to render when an Ajax request is made with an invalid or expired session.

  • flash - Settings to use when Auth needs to do a flash message with FlashComponent::set(). Available keys are:

  • key - The message domain to use for flashes generated by this component, defaults to 'auth'.

    • element - Flash element to use, defaults to 'default'.
    • params - The array of additional params to use, defaults to ['class' => 'error']

  • loginAction - A URL (defined as a string or array) to the controller action that handles logins. Defaults to /users/login.

  • loginRedirect - Normally, if a user is redirected to the loginAction page, the location they were redirected from will be stored in the session so that they can be redirected back after a successful login. If this session value is not set, redirectUrl() method will return the URL specified in loginRedirect.

  • logoutRedirect - The default action to redirect to after the user is logged out. While AuthComponent does not handle post-logout redirection, a redirect URL will be returned from AuthComponent::logout(). Defaults to loginAction.

  • authError - Error to display when user attempts to access an object or action to which they do not have access.

  • unauthorizedRedirect - Controls handling of unauthorized access.

  • For default value true unauthorized user is redirected to the referrer URL or $loginRedirect or '/'.

    • If set to a string or array the value is used as a URL to redirect to.
    • If set to false a ForbiddenException exception is thrown instead of redirecting.
Type
array

$_eventClass ¶ protected

Default class name for new event objects.

Type
string

$_eventManager ¶ protected

Instance of the Cake\Event\EventManager this object is using to dispatch inner events.

Type
Cake\Event\EventManager

$_registry ¶ protected

Component registry class used to lazy load components.

Type
Cake\Controller\ComponentRegistry

$_user ¶ protected

The current user, used for stateless authentication when sessions are not available.

Type
array

$allowedActions ¶ public

Controller actions for which user validation is not required.

Type
array

$components ¶ public

Other components utilized by AuthComponent

Type
array

$request ¶ public

Request object

Type
Cake\Network\Request

$response ¶ public

Response object

Type
Cake\Network\Response

$session ¶ public

Instance of the Session object

Type
Cake\Network\Session

$sessionKey ¶ public

The session key name where the record of the current user is stored. Default key is "Auth.User". If you are using only stateless authenticators set this to false to ensure session is not started.

Type
string
OpenHub
Pingping
Linode
  • Business Solutions
  • Showcase
  • Documentation
  • Book
  • API
  • Videos
  • Reporting Security Issues
  • Privacy Policy
  • Logos & Trademarks
  • Community
  • Get Involved
  • Issues (Github)
  • Bakery
  • Featured Resources
  • Training
  • Meetups
  • My CakePHP
  • CakeFest
  • Newsletter
  • Linkedin
  • YouTube
  • Facebook
  • Twitter
  • Mastodon
  • Help & Support
  • Forum
  • Stack Overflow
  • IRC
  • Slack
  • Paid Support

Generated using CakePHP API Docs