Search is throwing AuthorizationRequiredException
davidspeijer opened this issue · comments
I'm experiencing the same issues as in #258.
my function in the controller:
public function index() {
$this->paginate = [
'contain' => [
'Companies',
'ShippingBarcodes' => ['sort' => ['ShippingBarcodes.id' => 'DESC']]
],
'order' => ['Orders.id' => 'DESC']
];
$orders = $this->Orders->find('search', ['search' => $this->request->getQueryParams()]);
$this->Authorization->authorize($orders);
$orders = $this->paginate($orders);
$companies = $this->Orders->Companies->find('list')->where(['Companies.published' => true])->order(['Companies.name' => 'ASC']);
$statuses = Order::status();
$this->set(compact('orders','companies','statuses'));
}
This is loading the page as expected. The problems occurs once I try to filter the results. The POST results in a status 500:
The request to/orders/index did not apply any authorization checks.
Adding a skipAuth is not solving the problem:
public function index() {
$this->Authorization->skipAuthorization();
$this->paginate = [
'contain' => [
'Companies',
'ShippingBarcodes' => ['sort' => ['ShippingBarcodes.id' => 'DESC']]
],
'order' => ['Orders.id' => 'DESC']
];
.........
}
As suggested in #258 I tried to catch the problem in beforeFilter();
public function beforeFilter(\Cake\Event\EventInterface $event)
{
parent::beforeFilter($event);
if ($this->request->getParam('action') == 'index' && $this->Authentication->getIdentity()->get('role') == 'admin') {
$this->Authorization->skipAuthorization();
}
}
This is "solving" the issue as a workaround.
However not as I expect it to work. As I assume that the $this->Authorization->skipAuthorization() or $this->Authorization->authorize($orders) in the index method should have applied the auth check even with the redirect?
How is this related to this plugin?
It seems this is a side effect here and the actual issue happens from another plugin and code.
Skipping authorization for your method in initialize() or beforeFilter() is the correct way, not a work around.