CakeDC Blog

TIPS, INSIGHTS AND THE LATEST FROM THE EXPERTS BEHIND CAKEPHP

Working with CakePHP Authorization

Written by Jorge on May 19, 2020
17092 VIEWS

As you may know, there are 2 new plugins "recently" (not so recently) added to deal with the concepts of Authentication and Authorization in your CakePHP applications.

Over the years, both Authentication and Authorization were managed in the Controller layer, via AuthComponent.  These 2 things usually grow in complexity

as your project grows too, making the AuthComponent a complex class dealing with many features at the same time.


One of the original ideas behind these new plugins was to refactor AuthComponent and create specific layers to handle:

  • Authentication: who are you?
  • Authorization: are you allowed?

We are going to explore the Authorization concepts in this article using a specific example:

Let's imagine we have some kind of game application where Users are going to manage Tournaments. The Users will be able to create new Tournaments, and join the Tournaments through a TournamentMemberships many to many association.

Other users won't have access to the Tournaments unless they are invited to play. Players of a Tournament can invite other Users to play. So, a quick list of the use cases we are going to cover below are:

  • /tournaments/add  any user can create a new Tournament
  • /tournaments/index  browse all joined tournaments
  • /tournaments/invite  only current Members can invite others, and only if the Tournament has not started yet

We are assuming Authorization step is done in our application and we have a logged in user available in our request.

At this point we'll also assume you've installed cakephp/authentication and cakephp/authorization and loaded both plugins.

Authorization does not impose restrictions  on when the authorization checks will be done, let's quickly examine the workflow and related classes for Authorization:

  • AuthorizationMiddleware is attached to your Application, and will ensure the Authorization will be checked somewhere while processing the request.
     The unauthorizedHandler config will allow you to define what to do if the request was not authorized for some reason.
  • At some point in your code, you'll need to call AuthorizationComponent, either to
    • skipAuthorization when you don't require any specific condition to authorize the operation. Example:

      // ... somewhere in your beforeFilter...

          if ($user->is_superadmin) {

              $this->Authentication->skipAuthorization();

          }

      // ...

    • authorize($resource, $action) when you need to check if a given user is allowed to do some action on a given resource. Note the resource must be an Object.


How Authorization checks are done?

  1. We start by checking the resource, it's an Object so we use a Resolver to map every resource with a given Policy. There are some common defaults, for example to map ORM classes.
  2. Once we get to a Policy class, we check the matching method, for example if the action is "invite" we would check the method canInvite(IdentityInterface $user, Tournament $tournament)

Configuration:

After the Authentication middleware, in your src/Application.php class, add the Authorization Middleware

           $authorizationService = new AuthorizationService(new OrmResolver());

            ...

            ->add(new AuthorizationMiddleware($authorizationService, [

                'unauthorizedHandler' => [

                    'className' => 'Authorization.Redirect',

                    'url' => '/users/login',

                    'queryParam' => 'redirectUrl',

                ],

            ]));

 

Note the $authorizationService is configured with one resolver to match the CakePHP typical ORM classes, like Entities or Queries. https://book.cakephp.org/authorization/2/en/policy-resolvers.html#using-ormresolver

 

Once the middleware is added, you'll need to ensure the Authorization is checked, or you'll get an  error?: "The request to / did not apply any authorization checks" .

The first step would be to skip authorization for all the controllers and actions, for example in beforeFilter callback that all Users are allowed to access.

About the previous Tournaments specific cases, we'll need to create a new Policy class including all the possible actions to be done, for example:
 

  • /tournaments/add

We need to create a new Policy for the Tournament Entity

file src/Policy/TournamentPolicy.php to define policies related to specific tournaments

class TournamentPolicy

{

    public function canAdd(IdentityInterface $user, Tournament $tournament)

    {

        // all users can create tournaments

        return true;

    }

}

file src/Controller/TournamentsController.php

// ...

    public function add()

    {

        $tournament = $this->Tournaments->newEmptyEntity();

        $this->Authorization->authorize($tournament);

        if ($this->request->is('post')) {

// ...

The call to $this->Authorization->authorize($tournament); will map the Tournament entity to the TournamentPolicy, by default the action is taken from the controller action, in this case "add" so we will need to define a canAdd() method. We allowed all Users to create Tournaments.

 

  • /tournaments/index

We'll need to create a new policy for the TournamentsTable, and additionally a scope method to filter the Tournaments based on the current User membership.

file src/Policy/TournamentsTablePolicy.php to define policies for the TournamentsTable

class TournamentsTablePolicy

{

    public function canIndex(IdentityInterface $user, Query $query)

    {

        // all users can browse tournaments

        return true;

    }

    public function scopeIndex(IdentityInterface $user, Query $query)

    {

        // scope to filter tournaments for a logged in user

        return $query->matching('TournamentMemberships', function (Query $q) use ($user) {

            return $q->where(['TournamentMemberships.user_id' => $user->get('id')]);

        });

    }

}

file src/Controller/TournamentsController.php

    public function index()

    {

        $query = $this->Tournaments->find();

        $this->Authorization->authorize($query);

        $tournaments = $this->paginate($this->Authorization->applyScope($query));

 

        $this->set(compact('tournaments'));

    }
 

  • /tournaments/invite

file src/Policy/TournamentPolicy.php to define policies related to specific tournaments

// ...

    public function canInvite(IdentityInterface $user, Tournament $tournament)

    {

        return TableRegistry::getTableLocator()->get('TournamentMemberships')

            ->exists([

                'user_id' => $user->get('id'),

                'tournament_id' => $tournament->get('id'),

            ]);

    }

// ...

file src/Controller/TournamentsController.php

// ...

    public function invite($tournamentId, $userId)

    {

        $tournament = $this->Tournaments->get($tournamentId);

        $this->Authorization->authorize($tournament);

// ...

 

In this case, we need to check if the logged in User is already a member of the TournamentMemberships group, if so, we are allowed to invite another user.

As you can see, Authorization plugin will provide a flexible way to manage your application permissions.   In the previous examples we've covered typical application use cases to handle permissions per resource and action. New classes and interfaces, like policies, resolvers and mappers will allow you to configure the Authorization and ensure all the resources in your application will provide the required permissions.

If you're looking for RBAC based on your controller actions, take a look at https://github.com/CakeDC/auth/blob/master/Docs/Documentation/Authorization.md

For additional tools and plugins, check https://github.com/FriendsOfCake/awesome-cakephp#authentication-and-authorization

 

Latest articles

299 Views

CakeFest 2025 Wrap Up

For years I have heard the team talk about Madrid being one of their favorite cities to visit, because they hosted CakeFest there more than a decade ago. I can now confirm… they were right! What a beautiful city. Another great CakeFest in the books… Thanks Madrid!   Not only are we coming down from the sugar high, but we are also honored to be celebrating 20 years of CakePHP. It was amazing to celebrate with the attendees (both physical and virtual). If you watched the cake ceremony, you saw just how emotional it made Larry to reminisce on the last 20 years. I do know one thing, CakePHP would not be where it is without the dedicated core, and community.    Speaking of the core, we had both Mark Scherer and Mark Story joining us as presenters this year. It is a highlight for our team to interact with them each year. I know a lot of the other members from the core team would have liked to join us as well, but we hope to see them soon. The hard work they put in day after day is unmatched, and often not recognized enough. It’s hard to put into words how grateful we are for this group of bakers.    Our event was 2 jam packed days of workshops and talk presentations, which you can now see a replay of on our YouTube channel (youtube.com/cakephp). We had presenters from Canada, Germany, India, Spain, USA, and more! This is one of my favorite parts about the CakePHP community, the diversity and representation from all over the world. When we come together in one room, with one common goal, it’s just magical. Aside from the conference itself, the attendees had a chance to network, mingle, and enjoy meals together as a group.  I could sense the excitement of what’s to come for a framework that is very much still alive. Speaking of which… spoiler alert: CakePHP 6 is coming. Check out the roadmap HERE.   I feel as though our team leaves the event each year with a smile on their face, and looking forward to the next. The events are growing each year, although we do like to keep the small group/intimate type of atmosphere. I am already getting messages about the location for next year, and I promise we will let you know as soon as we can (when we know!). In the meantime, start preparing your talks, and send us your location votes.   The ovens are heating up….

Written by Amanda on October 16, 2025

564 Views

Polymorphic Relationships in CakePHP: A Beginner's Guide

Have you ever wondered how to make one database table relate to multiple other tables? Imagine a comments table that needs to store comments for both articles and videos. How do you manage that without creating separate tables or complicated joins? The answer is a polymorphic relationship. It sounds fancy, but the idea is simple and super powerful.

What's a Polymorphic Relationship?

Think of it this way: instead of a single foreign key pointing to one specific table, a polymorphic relationship uses two columns to define the connection. Let's stick with our comments example. To link a comment to either an article or a video, your comments table would have these two special columns:
  1. foreign_id: This holds the ID of the related record (e.g., the id of an article or the id of a video).
  2. model_name: This stores the name of the model the comment belongs to (e.g., 'Articles' or 'Videos').
This flexible setup allows a single comment record to "morph" its relationship, pointing to different types of parent models. It's clean, efficient, and saves you from a lot of redundant code. It's not necessary for them to be called "foreign_id" and "model_name"; they could have other names (table, model, reference_key, model_id, etc.) as long as you maintain the intended function of each. Now, let's see how you can set this up in CakePHP 5 without breaking a sweat.

Making It Work in CakePHP 5

While some frameworks have built-in support for polymorphic relationships, CakePHP lets you create them just as easily using its powerful ORM (Object-Relational Mapper) associations. We'll use the conditions key to define the polymorphic link.

Step 1: Set Up Your Database

We'll use a simple schema with three tables: articles, videos, and comments. -- articles table CREATE TABLE articles ( id INT AUTO_INCREMENT PRIMARY KEY, title VARCHAR(255) ); -- videos table CREATE TABLE videos ( id INT AUTO_INCREMENT PRIMARY KEY, title VARCHAR(255) ); -- comments table CREATE TABLE comments ( id INT AUTO_INCREMENT PRIMARY KEY, content TEXT, foreign_id INT NOT NULL, model_name VARCHAR(50) NOT NULL ); Notice how the comments table has our special foreign_id and model_name columns.

Step 2: Configure Your Models in CakePHP

Now for the magic! We'll define the associations in our Table classes. ArticlesTable.php In this file, you'll tell the Articles model that it has many Comments, but with a specific condition. // src/Model/Table/ArticlesTable.php namespace App\Model\Table; use Cake\ORM\Table; class ArticlesTable extends Table { public function initialize(array $config): void { // ... $this->hasMany('Comments', [ 'foreignKey' => 'foreign_id', 'conditions' => ['Comments.model_name' => self::class], // or 'Articles' 'dependent' => true, // Deletes comments if an article is deleted ]); } } Use self::class is a best practice in modern PHP, as it prevents bugs if you ever decide to rename your classes, and your IDE can auto-complete and check it for you VideosTable.php You'll do the same thing for the Videos model, but change the model_name condition. // src/Model/Table/VideosTable.php namespace App\Model\Table; use Cake\ORM\Table; class VideosTable extends Table { public function initialize(array $config): void { // ... $this->hasMany('Comments', [ 'foreignKey' => 'foreign_id', 'conditions' => ['Comments.model_name' => self::class], // or 'Videos' 'dependent' => true, ]); } } CommentsTable.php This table is the owner of the polymorphic association. You can add associations here to easily access the related Article or Video from a Comment entity. // src/Model/Table/CommentsTable.php namespace App\Model\Table; use Cake\ORM\Table; class CommentsTable extends Table { public function initialize(array $config): void { // ... $this->belongsTo('Articles', [ 'foreignKey' => 'foreign_id', 'conditions' => ['Comments.model_name' => \App\Model\Table\ArticlesTable::class], // or 'Articles' ]); $this->belongsTo('Videos', [ 'foreignKey' => 'foreign_id', 'conditions' => ['Comments.model_name' => \App\Model\Table\VideosTable::class], // or 'Videos' ]); } }

Step 3: Using the Relationship

Now that everything is set up, you can fetch data as if it were a normal association. Fetching Comments for an Article: $article = $this->Articles->get(1, ['contain' => 'Comments']); // $article->comments will contain a list of comments for that article Creating a new Comment for a Video: $video = $this->Videos->get(2); $comment = $this->Comments->newEmptyEntity(); $comment->content = 'This is an awesome video!'; $comment->foreign_id = $video->id; $comment->model_name = \App\Model\Table\VideosTable::class; // or 'Videos' $this->Comments->save($comment); As you can see, the model_name and foreign_id fields are the secret sauce that makes this pattern work.

What About the Future? The Power of This Solution

Now that you've got comments working for both articles and videos, what if your app grows and you want to add comments to a new model, like Photos? With this polymorphic setup, the change is incredibly simple. You don't need to alter your comments table at all. All you have to do is: Create your photos table in the database. Add a new PhotosTable.php model. In the new PhotosTable's initialize() method, add the hasMany association, just like you did for Articles and Videos. // src/Model/Table/PhotosTable.php namespace App\Model\Table; use Cake\ORM\Table; class PhotosTable extends Table { public function initialize(array $config): void { // ... $this->hasMany('Comments', [ 'foreignKey' => 'foreign_id', 'conditions' => ['Comments.model_name' => self::class], 'dependent' => true, ]); } } That's it! You've just extended your application's functionality with minimal effort. This demonstrates the true power of polymorphic relationships: a single, scalable solution that can easily adapt to your application's evolving needs. It's a key pattern for building flexible and maintainable software.

Conclusion

This approach is flexible, scalable, and a great way to keep your database schema simple. Now that you know the basics, you can start applying this pattern to more complex problems in your own CakePHP applications!

Written by Arodriguez on September 24, 2025

2979 Views

Closing Advent Calendar 2024

This article is part of the CakeDC Advent Calendar 2024 (December 24th 2024) That’s a wrap on the CakeDC 2024 advent calendar blog series. Did you get to read all of them? Hopefully you obtained some useful information to use in your future baking. We would love to get your feedback, feel free to share! It is still hard to believe that 2024 is almost over, but we are looking forward to an extraordinary 2025. On behalf of CakeDC, we want to thank our team for all the hours of hard work they put in this year. Also, thank you to our clients for trusting us with your CakePHP projects, it is an absolute pleasure getting to work with each of you. We are thankful for the great relationships we have built, or carried on in the last 12 months. For our CakePHP community, especially the core team, please know how incredibly grateful we are for your support of the framework. There is a reason that Cake is still around after 20 years, and it’s great developers like you, who dedicate their time and efforts to keep the code going. THANK YOU, THANK YOU, THANK YOU. As far as what is to come for CakePHP in 2025, stay tuned. However, I am told that there are some top secret (not really, we are opensource after all) talks about CakePHP 6 happening. With the release of PHP 8.4, I am sure some awesome features will be implemented in Cake specifically. We will also be celebrating 20 years of CakePHP next year, can you believe it? CakeFest will be in honor of all core members past and present, and it may be a good time to introduce some new ones as well. If you are a core member (or former), we would love to have you attend the conference this year. The location will be announced soon. Interested in getting involved or joining the core team? You can find some helpful links here: https://cakephp.org/get-involved We hope you enjoyed our gift this year, it’s the least we could do. Wishing you a happy holiday season from our CakeDC family to yours. See you next year! … sorry, I had to do it. :) Also, here are some final words from our President: Larry Masters.

A Christmas Message to the CakePHP Community

As we gather with loved ones to celebrate the joy and hope of the Christmas season, I want to take a moment to reflect on the incredible journey we’ve shared this year as part of the CakePHP community. This is a special time of year when people around the world come together to celebrate love, grace, and the hope that light brings into the world. It’s also a time to give thanks for the connections that make our lives richer. The CakePHP framework has always been about more than just code, it’s about people. It’s the collective effort of contributors from around the world who believe in building something better, together. To everyone who has shared their expertise, contributed code, written documentation, tested features, or offered guidance to others, I want to express my deepest gratitude for your dedication and passion. As we approach 2025, it brings even greater meaning to reflect on how far we’ve come. Next year marks the 20th anniversary of CakePHP. From the first lines of code to the projects we support today, the journey has been nothing short of remarkable. As we look ahead to the new year, let us carry forward this spirit of generosity, collaboration, and unity. Together, we can continue to empower developers, build exceptional tools, and foster a community that is inclusive, welcoming, and supportive. On behalf of everyone at Cake Development Corporation, I wish you and your families a blessed Christmas filled with peace, joy, and love. May the new year bring us more opportunities to create, connect, and grow together. Thank you for being part of this journey. Merry Christmas and a very Happy New Year to everyone. With gratitude, Larry Masters This article is part of the CakeDC Advent Calendar 2024 (December 24th 2024)

Written by Amanda on December 24, 2024

We Bake with CakePHP