Tags: dereuromark/cakephp-tinyauth
Tags
Keep wildcard-public controllers public for unknown actions (#174) A `*` allow rule is expanded to the controller's concrete method list via get_class_methods() so it can be handed to the Authentication plugin, which has no wildcard support. An action that does not exist as a method was therefore dropped from the unauthenticated set, so unauthenticated users hit the identity check and got redirected to login instead of receiving the MissingActionException (404) the missing action should produce. Keep the current request action in the unauthenticated set under a wildcard allow so unknown actions fall through to MissingActionException, matching the old AuthComponent behavior. Explicit denies still take precedence.
Allow authentication v4 (#171) * Allow authentication v4 * Fix authentication v4 static analysis * Support authentication v3 and v4 tests * Use direct identifier instances in tests * Rename test property to singular identifier The PrimaryKeySessionAuthenticator test now holds a single IdentifierInterface instance, so rename the misleading plural property to a singular name.
Add PHP adapter for ACL and Allow config (#168) * Add PHP and YAML adapters for ACL and Allow config Introduces AbstractAclAdapter and AbstractAllowAdapter holding the section-processing logic shared across all adapters. INI adapters now extend the base classes; new PhpAclAdapter, PhpAllowAdapter, YamlAclAdapter and YamlAllowAdapter only implement the file parsing step. YAML adapters require symfony/yaml, declared as a suggest dependency and used for tests via require-dev. * Note PHP and YAML built-ins in custom-adapters guide Master's new VitePress docs introduced a custom-adapters page that described tinyauth as having only INI-based stores. Update the intro to point at the now-three built-in formats so readers don't reach for a custom adapter when they just want a different file format. * Showcase lenient YAML quoting in test fixtures Strip defensive quotes from comma-separated role/action lists where YAML's block-scalar rules tolerate them, and drop the unnecessary quotes around comma-bearing keys like 'edit,view' and 'view, edit'. Add header comments explaining when quoting IS required (only when a value/key starts with a YAML reserved character: *, !, &, >, |, etc.) so future readers don't reach for quotes by reflex. Tests still pass — the parsed structure is unchanged, only the on-disk shape is more idiomatic. * Widen symfony/yaml constraint to allow v8 Composer can pick the highest version compatible with the host PHP: v6.4 (PHP 8.1+), v7.x (PHP 8.2+) or v8.x (PHP 8.4+). Tinyauth's PHP floor is 8.2, so v8 is reachable for users on PHP 8.4+ without breaking the prefer-lowest path on 8.2/8.3. * Drop YAML adapter, ship PHP-only alongside INI YAML treats `*` and `!` as reserved metasyntax (alias reference and tag), but those are exactly the characters TinyAuth's ACL grammar uses most: `*` for "all actions/roles" and `!action` / `!role` for negation. Every realistic YAML auth_acl.yml/auth_allow.yml ends up sprinkled with quoted keys, which is the opposite of "human-friendly" — and a fixture that needs a legend explaining what to quote is the wrong format for this domain. PHP arrays don't have this problem: `*` and `!index` are just strings, no escaping ceremony, IDE-friendly, no extra dependency. INI stays the zero-dependency default. The AbstractAclAdapter / AbstractAllowAdapter base classes from this PR are kept — INI and PHP both inherit from them, and a third-party YAML (or any other format) adapter is now ~30 lines for whoever wants it.
Fix isPublic plugin/prefix scope leak and hasRole type juggling (#165) AclTrait::_isPublic() (src/Auth/AclTrait.php:317) used asymmetric guards that short-circuited to false when the request had no plugin or prefix, so a plugin-scoped or prefix-scoped allow rule would match a request without one. Mirror the symmetric check from AllowTrait::_getAllowRule() so a rule is skipped whenever either side has a scope and they do not match. AuthUserTrait::hasRole() (src/Auth/AuthUserTrait.php:122) used a loose in_array() that matched 0 against any non-numeric string and treated auto-int array keys as alias matches. Coerce both sides to string and compare strictly while still treating numeric-string and int as the same role id; only string array keys count as alias matches. Reject non-scalar inputs early. Adds regression tests for both code paths.
Add roleIdColumn config for UUID-based role systems (#163) * Add roleIdColumn config for UUID-based role systems When using UUIDs as role identifiers instead of integer IDs, the hardcoded 'id' column in _getRolesFromDb() prevented proper role lookups from the database. This adds a new 'roleIdColumn' config option (defaults to 'id') that allows specifying the column used as the role identifier when reading roles from the database table. Example for UUID-based systems: ```php 'TinyAuth' => [ 'roleColumn' => 'Role.uuid', 'roleIdColumn' => 'uuid', 'aliasColumn' => 'slug', ] ``` * Fix PHPStan: update type annotations for UUID support * Fix remaining PHPStan type annotations
Fix null array offset deprecation in PHP 8.5 (#162) * Fix null array offset deprecation in PHP 8.5 Add early return when iniKey is null to avoid using null as array index. * Fix PHPStan error with nullable return type Update _constructIniKey to properly return null when controller is not set
Fix AuthPanel serialization issue with PDO objects The identity object and authentication providers contained references to PDO connections which cannot be serialized. This caused DebugKit to fail when viewing the Auth panel. Changes: - Store identity->getOriginalData() instead of the raw Identity object - Store provider class names as strings instead of provider objects - Update template to work with the new data structure
PreviousNext