From 5aeca30aeadd9c80485a0295138bff07cd93d9d1 Mon Sep 17 00:00:00 2001 From: kenjis Date: Wed, 14 Feb 2024 09:42:46 +0900 Subject: [PATCH] docs: improve descriptions for filters --- docs/quick_start_guide/using_session_auth.md | 8 +++++++- docs/references/controller_filters.md | 8 ++++---- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/docs/quick_start_guide/using_session_auth.md b/docs/quick_start_guide/using_session_auth.md index 94af696b6..211dc0e23 100644 --- a/docs/quick_start_guide/using_session_auth.md +++ b/docs/quick_start_guide/using_session_auth.md @@ -94,7 +94,13 @@ command. ## Protecting Pages -If you want to limit all routes (e.g. `localhost:8080/admin`, `localhost:8080/panel` and ...), you need to add the following code in the **app/Config/Filters.php** file. +By default, Shield does not protect pages. To make certain pages accessible only +to logged-in users, set the `session` +[controller filter](../references/controller_filters.md). + +For example, if you want to limit all routes (e.g. `localhost:8080/admin`, +`localhost:8080/panel` and ...), you need to add the following code in the +**app/Config/Filters.php** file. ```php public $globals = [ diff --git a/docs/references/controller_filters.md b/docs/references/controller_filters.md index 6afc8c4cd..5e9652ea4 100644 --- a/docs/references/controller_filters.md +++ b/docs/references/controller_filters.md @@ -27,11 +27,11 @@ $aliases = [ | Filters | Description | |-------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| session | The `Session` authenticator. | -| tokens | The `AccessTokens` authenticator. | +| session | Restricts access to users who are not authenticated by the `Session` authenticator. | +| tokens | Restricts access to users who are not authenticated by the `AccessTokens` authenticator. | | chained | The filter will check authenticators in sequence to see if the user is logged in through either of authenticators, allowing a single API endpoint to work for both an SPA using session auth, and a mobile app using access tokens. | -| jwt | The `JWT` authenticator. See [JWT Authentication](../addons/jwt.md). | -| hmac | The `HMAC` authenticator. See [HMAC Authentication](../guides/api_hmac_keys.md). | +| jwt | Restricts access to users who are not authenticated by the `JWT` authenticator. See [JWT Authentication](../addons/jwt.md). | +| hmac | Restricts access to users who are not authenticated by the `HMAC` authenticator. See [HMAC Authentication](../guides/api_hmac_keys.md). | | auth-rates | Provides a good basis for rate limiting of auth-related routes. | | group | Checks if the user is in one of the groups passed in. | | permission | Checks if the user has the passed permissions. |