Cakephp html2pdf auth problem

Question

i am new with cake but i´ve somehow managed to get through so far. After i´ve figured out that html2pdf is a convienient way to produce pdf documents out of Cakephp, i´ve installed html2ps/pdf and after some minor problems it worked. So now i am coming now to the point that if i don´t modify my controllers beforeRender function like:

function beforeFilter() {
    parent::beforeFilter();
    $this->Auth->allow('download','view');
}

i just see my loginpage in the pdf i´ve created. Setting within my beforeRender function the $this->Auth->allow value opens obviously erveryone the way to get a perfect pdf without being authorized. The whole controller looks like this:

<?php 
class DashboardController extends AppController {

   var $name = 'Dashboard'; 
   var $uses = array('Aircrafts','Trainingplans',
                       'Fstds','Flights','Properties','Person');            

   function beforeFilter() {
     parent::beforeFilter();
     $this->Auth->allow('download','view');
   } 

   function view() {
      /* set layout for print */        
      $this->layout = 'pdf';        
      /* change layout for browser */
      if> (!isset($this->params['named']['print']))
      $this->layout = 'dashboard';
      /* aircrafts */
      $this->Aircrafts->recursive = 0;
      $aircrafts =$this->Aircrafts->find('all');
      $this->set('aircrafts',$aircrafts);

.... and so on....

      $this->set('person_properties',$person_properties);
  } 


   function download($id = null) {
      $download_link = 'dashboard/view/print:1';
      // Include Component
      App::import('Component', 'Pdf');
      // Make instance
      $Pdf = new PdfComponent();
      // Invoice name (output name)
      $Pdf->filename = 'dashboard-' . date("M"); 
      // You can use download or browser here
      $Pdf->output = 'download';
      $Pdf->init();
      // Render the view
      $Pdf->process(Router::url('/', true) . $download_link);
      $this->render(false);
   } 
}
?>

So in my opinion the $Pdf->process call get´s the data by calling more or less the view, but this process is not logged in, or in other words not authorized to get the data i want to render into the pdf. So the question is now how to get it done by not opening my application to everyone.

Best regards, cdjw

Answer 1

Edit:

You could do something like this:

 if($this->Session->check('Auth.User')) {
        // do your stuff
 } else {
        // do something else
 }

Answer 2

You could check for 2 things before rendering /view:

• a valid session (a user is logged in)
• a valid security token that you pass from your download action as a named parameter

For the security token, just make up a long random string.

As the PDF is rendered on the same server, the token will never be known in the open and provide sufficient security.

Hope this is a working idea for you.

Answer 3

I had this similar issue, and this is how I handled it... I first noticed that the process call of the PdfComponent was doing a request from the same server, so I tricked CakePHP on allowing the view only for requests being made from the server itself.. like this:

public function beforeFilter() {
    if ($this->request->params['action']=='view'&&$_SERVER['SERVER_ADDR']==$_SERVER['REMOTE_ADDR']) { // for PDF access
        $this->Auth->allow('view');
    }
}

Answer 4

You should put

$this->Auth->allow('download','view');

inside AppController. rather than place where are you using now.

function beforeFilter() {
    $this->Auth->allow('download','view');
    ....
}