[FLOW3-general] Problems defining an EntryPoint
Ivan Ruiz Gallego
ivan at loglan.net
Fri Dec 2 14:10:52 CET 2011
Hi Andi,
What I need to implement is what Bernhard and Adrian mentioned in their
answers: lock everything behind authorization (with a couple of
exceptions such as login and contact page) and redirect not authorized
users to the login page. I think @FLOW3\SkipCsrfProtection doesn't do
the job. As Bernhard asked before could you recommend a kind of "best
practice" to implement such a feature?
Thanks,
Ivan.
On 02.12.2011 13:56, Andreas Förthner wrote:
> Hi Ivan,
>
> yes, you tried to access a protected controller without sending the csrf
> token. Therefore the firewall will block the request right at the
> beginning. If this is an action that does not change any data you can
> safely skip csrf-protection by annotating your action method with:
> @FLOW3\SkipCsrfProtection.
>
> Maybe we can automize this in the future, but that's a bit difficult, so
> you have to do in manually for now.
>
> Greets Andi
>
> Am 02.12.11 11:37 schrieb "Ivan Ruiz Gallego" unter<ivan at loglan.net>:
>
>> Hello,
>>
>> I'm unable to get a WebRedirect as the EntryPoint working! I've taken a
>> look at TYPO3.Blog. There, it doesn't seems to work either... I just
>> want that users that haven't logged in yet get redirected to the login
>> form. Such simple as that!
>>
>> According to my configuration (see below) I'd expect the following
>> behaviour for users that haven't logged in yet:
>> 1) The user makes a request to 'backoffice'
>> 2) Since the user isn't logged in and the URL 'backoffice' tries to
>> execute 'list' action from the 'coffee' controller, a redirect to
>> 'backoffice/login' should take place.
>>
>> This is not happening! Instead of this I get an uncaught exception
>> "#1216919280: You are not allowed to perform this action.".
>>
>> Thanks,
>> Ivan.
>>
>> --
>> CONFIGURATION
>>
>> The Settings.yaml of my package looks like this:
>>
>> TYPO3:
>> FLOW3:
>> security:
>> authentication:
>> authenticationStrategy: oneToken
>> providers:
>> DefaultProvider:
>> providerClass: PersistedUsernamePasswordProvider
>> entryPoint:
>> WebRedirect:
>> uri: backoffice/login
>>
>>
>> and the Policy.yaml like this:
>>
>> resources:
>> methods:
>> Acme_Demo_UserAdminMethods:
>> 'method(Acme\Demo\Controller\UserController->(list|delete|new|create)Actio
>> n())'
>> Acme_Demo_RestrictedControllers:
>> 'class(Acme\Demo\Controller\(Coffee|Soda|User)Controller)'
>> roles:
>> Administrator: []
>> Editor: []
>> acls:
>> Editor:
>> methods:
>> Acme_Demo_UserAdminMethods: DENY
>> Acme_Demo_RestrictedControllers: GRANT
>> Administrator:
>> methods:
>> Acme_Demo_BenutzerAdministratorMethods: GRANT
>> Acme_Demo_RestrictedControllers: GRANT
>>
>>
>> and finally Routes.yaml (in this order):
>>
>> [...]
>> -
>> name: 'Backoffice Authentication'
>> uriPattern: 'backoffice/login(/{@action})'
>> defaults:
>> '@package': 'Acme.Demo'
>> '@controller': 'Login'
>> '@action': 'index'
>> '@format': 'html'
>>
>> -
>> name: 'Backoffice Index'
>> uriPattern: 'backoffice'
>> defaults:
>> '@package': 'Acme.Demo'
>> '@controller': 'Coffee'
>> '@action': 'list'
>> '@format': 'html'
>>
>> [...]
>>
> Andreas Förthner
> Leiter Web-Entwicklung
>
> Telefon: +49 (911) 539909 - 0
> E-Mail: andreas.foerthner at netlogix.de
> Website: media.netlogix.de
>
>
> --
> netlogix GmbH& Co. KG
> IT-Services | IT-Training | Media
> Andernacher Straße 53 | 90411 Nürnberg
> Telefon: +49 (911) 539909 - 0 | Fax: +49 (911) 539909 - 99
> E-Mail: info at netlogix.de | Internet: http://www.netlogix.de
>
> netlogix GmbH& Co. KG ist eingetragen am Amtsgericht Nürnberg (HRA 13338)
> Persönlich haftende Gesellschafterin: netlogix Verwaltungs GmbH (HRB 20634)
> Umsatzsteuer-Identifikationsnummer: DE 233472254
> Geschäftsführer: Stefan Buchta, Matthias Schmidt
>
>
>
> _______________________________________________
>> FLOW3-general mailing list
>> FLOW3-general at lists.typo3.org
>> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow3-general
>
More information about the FLOW3-general
mailing list