1.11.0

Improvements

• $this->Auth->deny() can now be used inside Controller::beforeFilter()
• Removed deprecations, CakePHP 3.7+ now

1.10.0

Improvements

hasAccess() so far only included ACL data. Those links and access checks are meant to be used for logged in users.
It now can include also "allow" authentication-skipping data (publicly accessible actions), if includeAuthentication is set to true.
But this only checks/uses the INI config, it can not work on controller authentication. So make sure
you transformed everything fully to the INI file here. Any custom ->allow() call in controllers
can not be taken into account.

For this to work some of the (wrongly shared) configs had to be changed (while trying to keep BC):

ACL config:

• cacheKey is now aclCacheKey
• file is now aclFile
• filePath is now aclFilePath

Authentication config:

• cacheKey is now allowCacheKey
• file is now allowFile
• filePath is now allowFilePath

If you didnt modify any, you are BC here for sure.
If you used online runtime config on the classes (instead of Configure), you will also be fine.
Only if you used Configure (which technically was a bit wrong since they might affect both types due to the same key) you might have to do a small migration here.

1.9.0

Improvements

Added convenience CLI command (CakePHP 3.6+) to sync ACL for any new controller.
It will automatically skip controllers that are whitelisted as public (non authenticated).
In a future version this could also be broken down to action level.

Allow for custom AclAdapters to provide the ACL data array for Authorization.

1.8.0

Included commits: 1.7.0...1.8.0

Improvements

CakePHP 3.6 support.
This also sets 3.5 as minimum requirement now.

It can, however, be still necessary to set your error level to E_ALL & ~E_USER_DEPRECATED in your app.php config.

1.7.0

New requirements

Using CakePHP 3.4+ now as well as PHP 5.6+.

Improvements

• Cleanup of API, no usage of deprecated methods.
• PHPStan 0.9 level 6 support.
• Prefer Lowest Comp. Check on Travis.
• PHP 7.2 check on Travis.

Small fix

Fix super admin role allow in case of string/int mismatch.

Resolve performance issues on loops

The DB was queried on each call of hasAccess() for multi role setup.
This is now fixed with an internal cache map per user ID per request.

Fix auth allow callback

Before, with some auth setups it was possible that the auth allow INI file was not read in time.
This is now fixed.

Small fixes

A wrong exception has been removed.
In some cases the user might not yet have a role, and this now fine.

Include Authorization tools

Features

A new AuthUserComponent and AuthUserHelper is now built in, allowing for authorization and role checks.

The helper also allows for dynamic ACL links, which can either be completely invisible when no access, or just display their text without being clickable.
It also allows to just check for certain URLs, and based on that decide manually how to proceed.
This makes it possible to use inside dynamically rendered menus (like a NavigationHelper) to output role based navigation structures.

Finally, both acl.ini and auth_allow.ini file can be split across multiple paths (e.g. plugins) and will then be merged together. The speed of the application is not affected, of course, since this all is happening behind the cache.

Removed deprecations

The aclPath option has been removed. Please make sure you are using filePath before upgrading.
The constants have been deprecated and are now removed.