[ 'actions' => [ 'index' => 'Crud.Index', 'add' => 'Crud.Add', 'edit' => 'Crud.Edit', 'view' => 'Crud.View', 'keyvalue' => 'Crud.List', 'category' => 'Crud.Category' ], 'listeners' => ['Api', 'ApiTransformation'] #], #'DebugKit.Toolbar' => [ # 'bootstrap' => true, 'routes' => true ] ]; // Global beforeFilter function //Zoneminder sets the username session variable // to the logged in user. If this variable is set // then you are logged in // its pretty simple to extend this to also check // for role and deny API access in future // Also checking to do this only if ZM_OPT_USE_AUTH is on public function beforeFilter() { $this->loadModel('Config'); $options = array('conditions' => array('Config.' . $this->Config->primaryKey => 'ZM_OPT_USE_API')); $config = $this->Config->find('first', $options); $zmOptApi = $config['Config']['Value']; if ( $zmOptApi != '1' ) { throw new UnauthorizedException(__('API Disabled')); return; } else { global $user; $user = $this->Session->read('user'); } // We need to reject methods that are not authenticated // besides login and logout if ( strcasecmp($this->params->action, 'login') && strcasecmp($this->params->action, 'logout')) { if ( !$this->Session->read('user.Username') ) { throw new UnauthorizedException(__('Not Authenticated')); return; } else if ( !$this->Session->read('user.Enabled') ) { throw new UnauthorizedException(__('User is not enabled')); return; } } # end if ! login or logout } # end function beforeFilter() }