The Registry Authnz process starts in RegistryAuthComponent which injects a beforeFilter callback into all requests.
/auth/login/login.php, which is where web server authentication is triggered.login.php returns control to the TrafficController process-login action.API Users are bound to specific COs. For UI logins, the authenticated identifier is mapped to Identifiers flagged for login attached to Person records. A given identifier may be valid in more than one CO.
Authorization is performed in RegistryAuthComponent based on the rules established within each table. Each table sets an array of permissions using PermissionsTrait::setPermissions, either directly as an array or as a closure that returns an array. The array has two required keys, entity and table, and one optional key, related.
entity and table are each a hash where the keys are actions that operate over entities (ie: requiring an $id) or tables, respectively. The values are either false, indicating that action is never permitted, or an array of roles representing who is authorized to perform the action. Defined roles are
coAdmincoMemberplatformAdminrelated, if provided, is an array (list) of models whose permissions are required, typically for table views to render related actions.
When a closure is provide, the expected function signature of the closure is
function (\Cake\Http\ServerRequest $r, \App\Controller\Component\RegistryAuthComponent $auth, ?int $id): array
StandardController also provides the permissions calculated by RegistryAuthComponent to views.