CakeDC Blog

TIPS, INSIGHTS AND THE LATEST FROM THE EXPERTS BEHIND CAKEPHP

Building an RBAC based application in CakePHP (1/2)

Written by Jorge on October 09, 2017
19269 VIEWS

This is the first post of a small series covering how to setup, organize and implement an RBAC based authorization system in CakePHP using the CakeDC/Auth Plugin. We'll cover the basic concepts, setup and implementation of the basic permission rules in part 1.

What does RBAC mean in this context?

We'll use RBAC as "Role Base Access Control", meaning your app will be using the following concepts to define who can access what:

  • "Who" is an existing user, mainly identified as his role in the system, such as an "admin" or "writer", etc.
  • "What" is a specific action in your application, identified as the associated routing params, for example ['controller' => 'Posts', 'action' => 'add'].
  • A permission in this context would be a link between who, and what.

Why not ACL?

ACL is a really good choice when your answer is 'yes' to any of the following questions:

  • Do we need to let users create new roles on the fly?
  • Do we need the roles to inherit permissions (tree structure)?
  • Do we need to assign permissions NOT based on controller actions? For example CRUD based permissions, checked on the model layer for each operation on a given row.

If your answer is yes, you should consider using cakephp/acl. It provides a very powerful, reliable and flexible way to configure your permissions, but with greater power comes a bigger maintenance burden, that is keeping the acl data in your tables. Specially if you have several environments to maintain, you'll need to write migrations to populate your acl tables, then create import/export scripts and utilities to reproduce permission issues from live environments, and so on. Not an impossible task, but could increase the complexity of your project in a significant way...

Setting up CakeDC/Auth

There are other plugins you could use, but this one will cover everything you'll need, so let's go.

CakeDC/Auth usually comes installed from within CakeDC/Users (a complete solution covering many more features) but today we'll set it up alone.

composer require cakedc/auth

bin/cake plugin load CakeDC/Auth

And last, but not least, add the RBAC Auth to the list of Authorize objects. Here is a working configuration based on the blog tutorial.

We'll be using the blog tutorial described in the book as an example application Change AppController.php Auth related configuration to:

$this->loadComponent('Auth', [
    'authorize' => ['CakeDC/Auth.SimpleRbac'],
    'loginRedirect' => [
        'controller' => 'Articles',
        'action' => 'index'
    ],
    'logoutRedirect' => [
        'controller' => 'Pages',
        'action' => 'display',
        'home'
    ]
]);

With this change, we'll be using only the rules defined in config/permissions.php file. If this file is not present, default permissions will be in place. Default permissions will grant access to admin role to all actions. To override permissions, you can copy the default permissions to your project and fix the rules:

cp vendor/cakedc/auth/config/permissions.php config/

Then edit this file and check the provided examples and defaults.

Using CakeDC/Auth

The core of the RBAC system is the ability to define permission rules that will match one given role with the actions granted. Rules are defined in an array, but you can extend the AbstractProvider class to retrieve the rules from somewhere else (database?). By default, nothing will be granted. Rules are evaluated top to bottom. The first rule matched will stop the evaluation, and the authentication result will be provided by the value of the allowed key. Note we can use a callback to implement complex rules, or encapsulate the rules into classes that we could reuse across projects, like the Owner rule class provided.

This is an example rule

[
    'role' => '*',
    'plugin' => 'CakeDC/Users',
    'controller' => 'Users',
    'action' => ['profile', 'logout'],
],

We could read this rule as follows: "For any role, we grant access to actions 'profile' and 'logout' in the Users controller in plugin CakeDC/Users". Note default allowed value is true, we can use an array, or a string to determine the role, plugin, controller and action. We can also use * in the value to match anything or use * at the start of the key to match anything but the values, for example

'*controller' => 'Users',

would match all the controllers but 'Users'.

Simple Rules

As our first objective, we are going to grant access to all the index and view pages, using the rule

[
    'role' => '*',
    'controller' => '*',
    'action' => ['index', 'view'],
],

Stay tuned for the second post, where we'll deal with complex rules, rule classes and implementation tips for complex applications...

Latest articles

37 Views

QA vs. Devs: a MEME tale of the IT environment

QA testing requires knowledge in computer science but still many devs think of us like  homer-simpson-meme   BUT... morpheus-meme   It is not like we want to detroy what you have created but... house-on-fire-meme   And we have to report it, it is our job... tom-and-jerry-meme   It is not like we think dev-vs-qa   I mean cat-meme   Plaeas do not consider us a thread :) willy-wonka-meme 0/0/0000 reaction-to-a-bug   Sometimes we are kind of lost seeing the application... futurama-meme   And sometimes your don't believe the crazy results we get... ironman-meme   I know you think aliens-meme   But remmember we are here to help xD the-office-meme   Happy Holidays to ya'll folks! the-wolf-of-wallstreet-meme   PS. Enjoy some more memes   feature-vs-user   hide-the-pain-harold-meme   idea-for-qa   peter-parker-meme   meme   dev-estimating-time-vs-pm    

Written by Rcardoso on December 17, 2025

38 Views

The Inflector (Or why CakePHP speaks better English than me)

This article is part of the CakeDC Advent Calendar 2025 (December 18th 2025) I have been working with CakePHP for more than 15 years now. I love the conventions. I also love that I don't have to configure every single XML file, like in the old Java days. But let's be honest: as a Spanish native speaker, naming things in English can sometimes be a nightmare. In Spanish, life is simple. You have a Casa (house), you add an "s", you have Casas (houses). You have a Camión (truck), you add "es", you have Camiones (trucks). Logic! But in English? You have a mouse, and suddenly you have mice. You have a person, and it becomes people. You have a woman and it becomes women. This is why the Inflector class is not just a utility for me. It is my personal English teacher living inside the /vendor folder.

It covers my back

When I started with CakePHP 15 years ago, I was always scared to name a database table categories. I was 100% sure that I would break the framework because I would name the model Categorys or something wrong. But! CakePHP knows better. It knows irregular verbs and weird nouns better than I do. use Cake\\Utility\\Inflector; // The stuff I usually get right echo Inflector::pluralize('User'); // Users // The stuff I would definitely get wrong without coffee echo Inflector::pluralize('Person'); // People echo Inflector::pluralize('Child'); // Children

Variable Naming (CamelCase vs underscore)

The other battle I have fought for 15 years is the variable naming convention. Is it camelCase? Is it PascalCase? Is it underscore_case? My brain thinks in Spanish, translates to English, and then tries to apply PSR-12 standards. It is a lot of processing power. Fortunately, when I am building dynamic tools, I just let the Inflector handle the formatting: // Converting my database column to a nice label echo Inflector::humanize('published_date'); // Output: Published Date // Converting a string to a valid variable name echo Inflector::variable('My Client ID'); // Output: myClientId

When Spanglish happens

Of course, after so many years, sometimes a Spanish word slips into the database schema. It happens to the best of us. If I create a table called alumnos (students), CakePHP tries its best, but it assumes it is English.
Inflector::singularize('alumnos') -> Alumno (It actually works! Lucky.)
But sometimes it fails funny. If I have a Jamon (Ham), Cake thinks the plural is Jamons. So, for those rare moments where my English fails, I can teach the Inflector a bit of Spanish in bootstrap.php: Inflector::rules('plural', \[ '/on$/i' \=\> 'ones' // Fixing words ending in 'on' like Cajon, Jamon... \]);

Conclusion

We talk a lot about the ORM, Dependency Injection, and Plugins. Today however, I wanted to say "Gracias" to the humble Inflector. It has saved me from typos and grammar mistakes since 2008. Challenge for today: Go check your code. Are you manually formatting strings? Stop working so hard and let the Inflector do it for you. This article is part of the CakeDC Advent Calendar 2025 (December 18th 2025)

Written by Ajibarra on December 16, 2025

51 Views

Uploading Files with CakePHP and Uppy directly to Amazon S3

Uploading Files with CakePHP and Uppy: Direct to S3

Modern web applications increasingly require fast, resilient, and user‑friendly file uploads. Whether it’s profile photos, documents, or large media files, users expect progress indicators, drag‑and‑drop, and reliable uploads even on unstable connections. In this article, we’ll look at how to combine CakePHP on the backend with Uppy on the frontend, and how to upload files directly to Amazon S3 using signed requests.

Why Uppy for Direct S3 Uploads??

Uppy is a modular JavaScript file uploader built by the team behind Transloadit. It provides a polished upload experience out of the box and integrates well with modern backends.

Key advantages

  • Direct-to-Cloud Uploads: File data flows directly from the user's browser to the S3 bucket, without passing through your CakePHP server.
    • Lower Server Load and Cost: Your server only generates a short-lived, secure pre-signed URL. The actual file transfer avoids the “double handling,” drastically reducing your application's bandwidth consumption and infrastructure footprint.
    • Better Performance: By eliminating your application server as a middleman, uploads complete faster. Uppy can also utilize S3's multipart upload capabilities for improved throughput and reliability for large files.
  • Excellent UX: Drag-and-drop support, progress bars, previews, and retry support.
  • Modular Architecture: Only load the necessary plugins.
  • Framework‑agnostic: Works seamlessly with CakePHP.

Architecture Overview

  • This scalable and production-friendly approach uses the following flow:
  • The browser initializes Uppy.
  • CakePHP provides temporary S3 credentials or signed URLs (Authorization).
  • Uppy uploads files directly to S3 (Data Transfer).
  • CakePHP stores metadata (filename, path, size, etc.) if needed (Database Record).

Architecture Overview

This scalable and production-friendly approach uses the following flow:
  1. The browser initializes Uppy
  2. CakePHP provides temporary S3 credentials or signed URLs (Authorization)
  3. Uppy uploads files directly to S3 (Data Transfer).
  4. CakePHP stores metadata (filename, path, size, etc.) if needed (Database Record).

Prerequisites

  • CakePHP 5.x (or 4.x with minor adjustments)
  • AWS account with an S3 bucket
  • AWS SDK for PHP
  • A modern browser to use Uppy's MJS modules

Installing Dependencies

Backend (CakePHP)

Install the required AWS SDK for PHP via Composer: composer require aws/aws-sdk-php Configure your AWS credentials (environment variables recommended): AWS_ACCESS_KEY_ID=your-key AWS_SECRET_ACCESS_KEY=your-secret AWS_REGION=eu-west-1 AWS_BUCKET=your-bucket-name

Frontend (Uppy)

Instead of a build step, we will use Uppy's modular JS files directly from a Content Delivery Network (CDN), which is simpler for many CakePHP applications. We will load the required modules—Uppy, Dashboard, and AwsS3—directly within the <script type="module"> tag in your view.

Creating the CakePHP Endpoint

We need a CakePHP endpoint to securely generate and return the necessary S3 upload parameters (the pre-signed URL) to the browser.

Controller

// src/Controller/UploadsController.php namespace App\Controller; use Aws\S3\S3Client; use Cake\Http\Exception\UnauthorizedException; class UploadsController extends AppController { public function sign() { $this->getRequest()->allowMethod(['post']); // 1. Initialize S3 Client using credentials from environment $s3Client = new S3Client([ 'version' => 'latest', 'region' => env('AWS_REGION'), 'credentials' => [ 'key' => env('AWS_ACCESS_KEY_ID'), 'secret' => env('AWS_SECRET_ACCESS_KEY'), ], ]); // Define a unique path with a placeholder for the actual filename $path = 'uploads/' . uniqid() . '/${filename}'; // 2. Create the command for a PutObject request $command = $s3->getCommand('PutObject', [ 'Bucket' => env('AWS_BUCKET');, 'Key' => $path, 'ACL' => 'private', 'ContentType' => '${contentType}', ]); // 3. Generate the pre-signed URL (valid for 15 minutes) $presignedRequest = $s3->createPresignedRequest($command, '+15 minutes'); $this->set([ 'method' => 'PUT', 'url' => (string)$presignedRequest->getUri(), '_serialize' => ['method', 'url'], ]); } } Add a route: // config/routes.php $routes->post('/uploads/s3-sign', ['controller' => 'Uploads', 'action' => 'sign']);

Frontend: Initializing Uppy and the S3 Plugin

Place the following code in your CakePHP view along with the HTML container for the uploader: <div id="uploader"></div> <script type="module"> // Load Uppy modules directly from CDN (v5.2.1 example) import { Uppy, Dashboard, AwsS3 } from 'https://releases.transloadit.com/uppy/v5.2.1/uppy.min.mjs' const uppy = new Uppy({ autoProceed: false, restrictions: { maxNumberOfFiles: 5, allowedFileTypes: ['image/*', 'application/pdf'], }, }) uppy.use(Dashboard, { inline: true, target: '#uploader', }) // Configure the AwsS3 plugin to fetch parameters from the CakePHP endpoint uppy.use(AwsS3, { async getUploadParameters(file) { const response = await fetch('/uploads/s3-sign', { method: 'POST', headers: { 'Content-Type': 'application/json', }, }) const data = await response.json() // 2. Return the parameters Uppy needs for the direct upload return { method: data.method, url: data.url, headers: { 'Content-Type': file.type, }, } }, }) uppy.on('complete', (result) => { console.log('Upload complete:', result.successful) }) </script>

Storing File Metadata (Optional but Recommended)

Once the direct S3 upload is successful, you must notify your CakePHP application to save the file's metadata (e.g., the S3 key) in your database. uppy.on('upload-success', (file, response) => { fetch('/files/save', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ name: file.name, size: file.size, type: file.type, s3_key: response.uploadURL, }), }) })

Security Considerations

Remember to implement robust security checks in your sign controller action:
  • Authenticate users: Ensure the user is logged in and authorized before issuing S3 parameters.
  • Restrict Input: Restrict allowed MIME types and maximum file size.
  • Access Control: Use private S3 buckets and serve files via signed URLs to maintain security.
  • Time Limit: Set short expiration times for the pre-signed requests (e.g., the +15 minutes in the example).

Conclusion

Combining CakePHP and Uppy gives you the best of both worlds: a robust PHP backend and a modern, user‑friendly upload experience. By uploading directly to Amazon S3, you reduce server load, successfully reduce server load, improve scalability, and ensure reliable, fast large file uploads. This setup allows your backend to focus on validation, authorization, and business logic rather than raw data transfer.

Written by Areveron on December 15, 2025

We Bake with CakePHP