Security issue in CakePHP code documentation

I have been using CakePHP for a long time now and enjoy every second. It provides a productive, easy to use and well document platform for PHP application. The key advantages for me are – transparent OR mapping, a strong Model View Controller framework, and tons of extra utilities that make your life better.

I have came across a possible security issue in one of cakePHP code examples. This section of code is responsible to authorize or un-authorize clients access to a certain action (MVC flow)

<?php
    function isAuthorized() {
        if ($this->action == 'delete') {
            if ($this->Auth->user('role') == 'admin') {
                return true;
            } else {
                return false;
            }
        }

        return true;
    }
?>

The major security rule this code is breaking is – never ever have 'return true' as a default for an authorization method.

read more