Access control for static pages in CakePHP

CakePHP provides very powerful access control components; AuthComponent and AclComponent. In the beginning I struggled with redirect loops and access limitations to static pages like “About us” and “Help”. Then I made the following notes.

Static pages including ‘HOME’ are generated through PagesController

The top page of the cakephp is displayed without preparing a new controller and a new view after just set up. pages_controller.php (PagesController class) and home.ctp, which are provided in CakePHP’s core part by default. Generally, only view files (*.ctp) are required to be created in order to add static contents like “About us” and “Help”, and then, PagesController class is called to display the created ctp files.

What’s to be noted is that the access permission to PagesController is important to avoid redirect loops caused by Auth/AclComponent’s auto-redirection.

Plan #1: NO authorization is needed for all static pages

I think that most static contents are meant for all users regardless of their login status. If you are sure all static pages in your system need no authorization, just add the following code to app_controller::beforeFilter method.

$this->Auth->allow(array('controller' => 'pages', 'action' => 'display'));

Then, all static pages defined each ctp file are accessible for not logged in users as well as logged in users.

Plan #2: Only particular static pages need no authorization

To make particular static pages need no authorization, allow method is used in app_controller:beforeFilter, similarly. For example, if you want to show “HOME” and “About us” to anybody, add some codes like this. (Assuming that the view is provided by the file of views/aboutus.ctp)

// HOME and About us are accessible for anyone
$this->Auth->allow(array('controller' => 'pages', 'action' => 'display', 'home'));
$this->Auth->allow(array('controller' => 'pages', 'action' => 'display', 'aboutus'));

Plan #3: Only specified group has permission to access static pages

This plan requires to allow to access “HOME” in the way of Plan 2, or a redirect loop occur at a permission error.

You can allow specified groups or users to access all static pages by Inserting the controller for the static pages to ACL’s permission setting table. Let’s use cake command.


  • root/controllers is created as ACO
  • a specified group “Groups/Group.1” is created as ARO

1. Create PagesController::display as ACO
[cakephp installed dir]/cake/console/cake acl create aco  controllers Pages
[cakephp installed dir]/cake/console/cake acl create aco  controllers/Pages display

2. Grant Group.1 permission to access all static pages
[cakephp installed dir]/cake/console/cake acl grant Group.1 controllers/Pages/display all

Plan #4: Defining which group has permission for which static content.

ACL supports to control which group has permission for which controller’s which action, but that seems not to be able to specify parameters like “home” or “aboutus”, which are given to PagesController::display.

If you need to set up in more detail, you should get a group_id related to a user and call allow method in if statement by the group_id in AppController::beforeFilter(). Or adding new actions (= methods) to controllers and calling redirect to PagesController::display($param-for-each-view) probably makes it possible to control permission for each page in ACL’s permission table.