CakePHP 3.6 - How to get DebugKit to work with Authorization plugin?

Question

I have a Cakephp 3.6.13 project with the DebugKit (3.16.5) and Authorization (1.0.0) plugins enabled (and Authentication 1.0.1 plugin).

The DebugKit bar doesn't load in development, with the server returning: "The request to /debug-kit/toolbar/5b7dae82-9c94-48df-a16b-fbf13bd97045 did not apply any authorization checks." which makes sense, but how do I get requests to DebugKit to pass authorization whitout affecting authorization for the rest of the site?

Using the RequestPolicy example works for plugin === DebugKit requests, but then my public actions (defined with skipAuthorization) aren't authorized anymore or, more precisely, I don't know how to Authorize them.

One option might be to apply the middleware on routing scopes, or conditionally, similar to this: **https://stackoverflow.com/questions/47714940/cakephp-3-5-6-disable-csrf-middleware-for-controller/47718018#47718018**. — ndm, Nov 08 '18 at 10:42
Conditionnaly adding the Authorization Middleware worked. Thank you! — Crifpe, Nov 08 '18 at 14:56

score 3 · Answer 1 · answered Jan 14 '21 at 21:30

3

Using CakePHP 4.1 adding the following config option to app_local.php will cause DebugKit to bypass policies and function normally:

    'DebugKit' => [
        'ignoreAuthorization' => true
    ],

answered Jan 14 '21 at 21:30

user15008557

31
1

this is the best solution. – victor_luu Oct 09 '22 at 10:42

score 2 · Accepted Answer · answered Nov 08 '18 at 15:02

2

As ndm suggested, I conditionally added the Authorization Middleware when the request was not for the DebugKit plugin. I added this to my Application.php middleware function :

$auth = new AuthorizationMiddleware($this);
$middlewareQueue
    ->add(function (ServerRequestInterface $request, ResponseInterface $response, callable $next) use ($auth) {
        if ($request->getParam('plugin') !== 'DebugKit') {
            return $auth($request, $response, $next);
        }
        return $next($request, $response);
    });

Not sure if this is the recommended way, but it seems to be working.

answered Nov 08 '18 at 15:02

Crifpe

61
5

Documentation mentions this config as the appropriate way: `Configure::write('DebugKit.ignoreAuthorization', true);` – Yevgeniy May 15 '20 at 09:58
@Yevgeniy That's true, but it doesn't work for me, at least in CakePHP v4. – cslotty Aug 27 '20 at 10:20

score 0 · Answer 3 · answered Apr 10 '23 at 09:10

0

I am using CakePHP 4.3 and adding the following config, similar suggested by user15008557, to app.php works for me. DebugKit can now bypass Authorization policies and function normally:

'DebugKit' => [
        'ignoreAuthorization' => true
    ],

answered Apr 10 '23 at 09:10

BlueM00n

25
8

CakePHP 3.6 - How to get DebugKit to work with Authorization plugin?

3 Answers3