Releases: dereuromark/cakephp-tinyauth
Releases · dereuromark/cakephp-tinyauth
Release list
3.2.2
Fixes
- Keep wildcard-public controllers public for unknown actions (#173). With a
*allow rule, an action that does not exist as a controller method is no longer treated as protected; unauthenticated users now get theMissingActionException(404) instead of a login redirect. Explicit denies still take precedence. - Fix
isPublic()plugin/prefix scope leak: a plugin-scoped or prefix-scoped allow rule no longer matches a request that has no plugin/prefix. - Fix
hasRole()type juggling: role lookup compares strictly after string coercion, so0no longer matches a non-numeric role string while numeric-string vs int equivalence is preserved.
Note:
3.2.1was retracted. It was accidentally tagged on the CakePHP 3 (cake3) branch and was not installable on the 3.x (CakePHP 4) line. This3.2.2release supersedes it and ships the same fixes built fromcake4. See #177.
Full Changelog: 3.2.0...3.2.2
5.3.1
Fixes
- Wildcard-public controllers (
Controller = *inauth_allow.ini) now stay public for actions that do not exist. Previously an unknown action on a fully public controller redirected unauthenticated users to the login page instead of returning a 404 (MissingActionException). Explicit denies are still honored.
Full Changelog: 5.3.0...5.3.1
5.3.0
Fixes
- Apply the configured
cachePrefixto the ACL/Allow cache keys — two TinyAuth installs sharing a CakePHP cache pool previously collided on the bareacl/allowkeys, so multi-tenant or test setups could read another install's permission data. Keys are now namespaced (tiny_auth_acl/tiny_auth_allowby default); existing bare-key caches go cold once and repopulate (#169) - Fix route-slot matching swallowing falsy plugin/prefix values —
_isPublic/_getAllowRulemixedisset()with!empty(), comparing falsy slots like'0'or an empty string inconsistently between request and rule. Matching now treats null and empty string as the "no plugin / no prefix" sentinel and requires an exact match otherwise (#169)
Improvements
- Allow cakephp/authentication v4 — the plugin now supports authentication v3 and v4 (#171)
Full Changelog: 5.2.0...5.3.0
5.2.0
Fixes
- Use plugin-specific i18n domain for translations — strings now live under the
tinyauthdomain instead of leaking into the host app'sdefaultdomain (#166)
Improvements
- Add PHP adapter for ACL and Allow config —
PhpAclAdapter/PhpAllowAdapterwork alongside the existing INI adapters, with sharedAbstractAclAdapter/AbstractAllowAdapterbase classes for custom backends (#168)
Full Changelog: 5.1.4...5.2.0
5.1.4
Fixes
- Fix
isPublicplugin/prefix scope leak so plugin- or prefix-scoped allow rules no longer match unscoped requests (#165) - Fix
hasRole()type juggling that allowed loose matches between0and non-numeric strings, and rejected non-scalar input (#165)
Full Changelog: 5.1.3...5.1.4
5.1.3
Improvements
- Add
roleIdColumnconfig option for UUID-based role systems (#163)
Full Changelog: 5.1.2...5.1.3
5.1.2
5.1.1
5.1.0
Improvements
Allow grouping of commands now:
tiny_auth:
tiny_auth add
tiny_auth sync
Full Changelog: 5.0.0...5.1.0
5.0.0
Improvements
Removed all old Cake (v3) legacy code and Auth component.
It now uses only the 2 new plugins and further extends and improves those in usability.
The docs have been simplified.