[FLOW3-general] Problems defining an EntryPoint
Bernhard Fischer
bernhard at fischli.org
Fri Dec 2 13:40:16 CET 2011
Hi Ivan,
I would say WebRedirect needs an CSRF token, otherwise an exception will
be thrown on acl protected pages if you are not yet authenticated. It's
kind of hen and egg dilemma. An aspect around
TYPO3_FLOW3_Security_Authorization_Interceptor_AccessDeny could be a
solution?
Knock ... knock ... someone should propose a "best practice" for this
common case: deny all except login if you are not authenticated
-Bernhard
On 12/02/2011 11:37 AM, Ivan Ruiz Gallego wrote:
> Hello,
>
> I'm unable to get a WebRedirect as the EntryPoint working! I've taken a
> look at TYPO3.Blog. There, it doesn't seems to work either... I just
> want that users that haven't logged in yet get redirected to the login
> form. Such simple as that!
>
> According to my configuration (see below) I'd expect the following
> behaviour for users that haven't logged in yet:
> 1) The user makes a request to 'backoffice'
> 2) Since the user isn't logged in and the URL 'backoffice' tries to
> execute 'list' action from the 'coffee' controller, a redirect to
> 'backoffice/login' should take place.
>
> This is not happening! Instead of this I get an uncaught exception
> "#1216919280: You are not allowed to perform this action.".
>
> Thanks,
> Ivan.
>
> --
> CONFIGURATION
>
> The Settings.yaml of my package looks like this:
>
> TYPO3:
> FLOW3:
> security:
> authentication:
> authenticationStrategy: oneToken
> providers:
> DefaultProvider:
> providerClass: PersistedUsernamePasswordProvider
> entryPoint:
> WebRedirect:
> uri: backoffice/login
>
>
> and the Policy.yaml like this:
>
> resources:
> methods:
> Acme_Demo_UserAdminMethods:
> 'method(Acme\Demo\Controller\UserController->(list|delete|new|create)Action())'
>
> Acme_Demo_RestrictedControllers:
> 'class(Acme\Demo\Controller\(Coffee|Soda|User)Controller)'
> roles:
> Administrator: []
> Editor: []
> acls:
> Editor:
> methods:
> Acme_Demo_UserAdminMethods: DENY
> Acme_Demo_RestrictedControllers: GRANT
> Administrator:
> methods:
> Acme_Demo_BenutzerAdministratorMethods: GRANT
> Acme_Demo_RestrictedControllers: GRANT
>
>
> and finally Routes.yaml (in this order):
>
> [...]
> -
> name: 'Backoffice Authentication'
> uriPattern: 'backoffice/login(/{@action})'
> defaults:
> '@package': 'Acme.Demo'
> '@controller': 'Login'
> '@action': 'index'
> '@format': 'html'
>
> -
> name: 'Backoffice Index'
> uriPattern: 'backoffice'
> defaults:
> '@package': 'Acme.Demo'
> '@controller': 'Coffee'
> '@action': 'list'
> '@format': 'html'
>
> [...]
> _______________________________________________
> FLOW3-general mailing list
> FLOW3-general at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow3-general
More information about the FLOW3-general
mailing list