CLI Commands
TinyAuth ships two console commands for editing auth_acl.ini from the shell. Both modify the file in place at the path configured by TinyAuth.aclFilePath (default config/) + TinyAuth.aclFile (default auth_acl.ini).
tiny_auth add
Add or update a single controller / action / roles entry in the ACL file.
bin/cake tiny_auth add <controller> [action] [roles] [options]Arguments
| Argument | Required | Default | Notes |
|---|---|---|---|
controller | yes | — | Controller name without the Controller suffix. Use the full Plugin.Prefix/Name form for plugins / prefixed controllers (e.g. MyPlugin.Admin/Articles). |
action | no | * | Action name (camelCased or under_scored). * means all actions. |
roles | no | * | Comma-separated role names (e.g. user,admin). * means all roles. |
Options
| Option | Short | Notes |
|---|---|---|
--plugin | -p | Plugin scope. Use all to consider all loaded plugins. |
--dry-run | -d | Show what would change without writing the INI file. |
Interactive mode
If you call tiny_auth add with only a controller (no action / roles), the command goes interactive — it prompts for an action and lists available roles you can pick from.
If you call it with no arguments at all, it lists the discovered controllers and asks you to pick one.
Examples
# Allow user and admin roles on Articles::index
bin/cake tiny_auth add Articles index user,admin
# → adds [Articles] index = user, admin
# Allow admin on every Articles action
bin/cake tiny_auth add Articles "*" admin
# → adds [Articles] * = admin
# Allow admin on a plugin's admin-prefixed Articles::edit
bin/cake tiny_auth add MyPlugin.Admin/Articles edit admin
# → adds [MyPlugin.Admin/Articles] edit = admin
# Preview without writing
bin/cake tiny_auth add Articles index user --dry-runtiny_auth sync
Scan all discovered controllers and add any that don't yet have an ACL entry. Existing entries are never modified — sync only adds missing rows with the wildcard action.
bin/cake tiny_auth sync <roles> [options]Arguments
| Argument | Required | Notes |
|---|---|---|
roles | yes | Comma-separated role names. * means all roles. |
Options
| Option | Short | Notes |
|---|---|---|
--plugin | -p | Plugin scope. Use all to include controllers from every loaded plugin. |
--dry-run | -d | Show what would change without writing the INI file. |
Examples
# Add every missing controller with: * = user, admin
bin/cake tiny_auth sync user,admin
# Same, but include all plugins, and grant access to all roles
bin/cake tiny_auth sync "*" --plugin all
# Preview only
bin/cake tiny_auth sync admin --dry-runWorkflow
A typical project workflow:
- Initial setup — run
sync "*"once to populateauth_acl.iniwith one row per controller, all roles allowed (a permissive baseline). - Tighten over time — for each controller, replace the wildcard entry with explicit
action = roleslines usingadd. - After adding new controllers — run
syncagain with your default role set; existing entries are preserved.
Notes
- Both commands respect
TinyAuth.aclFilePathandTinyAuth.aclFileoverrides for non-default INI locations. - Both commands list discovered roles in their
--helpoutput (pulled fromTinyAuth\Utility\TinyAuth::getAvailableRoles()). - Successful runs return exit code
0. There's no separate "no changes made" exit code —--dry-runis the way to detect drift.