[FLOW3-general] Problems defining an EntryPoint
Andreas Förthner
andreas.foerthner at netlogix.de
Fri Dec 2 16:13:25 CET 2011
Hi Ivan,
I don't have much time, so just a short answer: This annotation will not
skip the ACL protection of this action. It will just not require the csrf
token to be there. If you still get the "You are not allowed"-Exception
after annotating its probably a caching issue. Make sure to flush all
cashes. I have written a short blog post some time ago about the whole
csrf topic. Besides the annotation syntax everything else should be still
valid:
http://media.netlogix.de/community/details/artikel/csrf-protection-in-typo3
-phoenix-kindly-provided-by-flow3
Hope this helps a bit, to make things clear.
Greets Andi
Am 02.12.11 14:13 schrieb "Ivan Ruiz Gallego" unter <ivan at loglan.net>:
>Hi Bernhard,
>
>I don't get the exception anymore, but the WebRedirect doesn't take
>place. And anyway, I need to protect the controller actions in question,
>so skipping csrf protection doesn't help.
>
>Ivan.
>
>On 02.12.2011 14:08, Bernhard Fischer wrote:
>> Hi Andreas,
>>
>> what's behind @FLOW3\SkipCsrfProtection and how does the controller
>> behave afterwards it's annotated. I still get exceptions whether it's
>> annotated or not. Can't see the difference.
>>
>> Thx
>> Bernhard
>>
>> On 12/02/2011 01:56 PM, Andreas Förthner wrote:
>>> Hi Ivan,
>>>
>>> yes, you tried to access a protected controller without sending the
>>>csrf
>>> token. Therefore the firewall will block the request right at the
>>> beginning. If this is an action that does not change any data you can
>>> safely skip csrf-protection by annotating your action method with:
>>> @FLOW3\SkipCsrfProtection.
>>>
>>> Maybe we can automize this in the future, but that's a bit difficult,
>>>so
>>> you have to do in manually for now.
>>>
>>> Greets Andi
>>>
>>> Am 02.12.11 11:37 schrieb "Ivan Ruiz Gallego" unter<ivan at loglan.net>:
>>>
>>>> Hello,
>>>>
>>>> I'm unable to get a WebRedirect as the EntryPoint working! I've taken
>>>>a
>>>> look at TYPO3.Blog. There, it doesn't seems to work either... I just
>>>> want that users that haven't logged in yet get redirected to the login
>>>> form. Such simple as that!
>>>>
>>>> According to my configuration (see below) I'd expect the following
>>>> behaviour for users that haven't logged in yet:
>>>> 1) The user makes a request to 'backoffice'
>>>> 2) Since the user isn't logged in and the URL 'backoffice' tries to
>>>> execute 'list' action from the 'coffee' controller, a redirect to
>>>> 'backoffice/login' should take place.
>>>>
>>>> This is not happening! Instead of this I get an uncaught exception
>>>> "#1216919280: You are not allowed to perform this action.".
>>>>
>>>> Thanks,
>>>> Ivan.
>>>>
>>>> --
>>>> CONFIGURATION
>>>>
>>>> The Settings.yaml of my package looks like this:
>>>>
>>>> TYPO3:
>>>> FLOW3:
>>>> security:
>>>> authentication:
>>>> authenticationStrategy: oneToken
>>>> providers:
>>>> DefaultProvider:
>>>> providerClass: PersistedUsernamePasswordProvider
>>>> entryPoint:
>>>> WebRedirect:
>>>> uri: backoffice/login
>>>>
>>>>
>>>> and the Policy.yaml like this:
>>>>
>>>> resources:
>>>> methods:
>>>> Acme_Demo_UserAdminMethods:
>>>>
>>>>'method(Acme\Demo\Controller\UserController->(list|delete|new|create)Ac
>>>>tio
>>>>
>>>> n())'
>>>> Acme_Demo_RestrictedControllers:
>>>> 'class(Acme\Demo\Controller\(Coffee|Soda|User)Controller)'
>>>> roles:
>>>> Administrator: []
>>>> Editor: []
>>>> acls:
>>>> Editor:
>>>> methods:
>>>> Acme_Demo_UserAdminMethods: DENY
>>>> Acme_Demo_RestrictedControllers: GRANT
>>>> Administrator:
>>>> methods:
>>>> Acme_Demo_BenutzerAdministratorMethods: GRANT
>>>> Acme_Demo_RestrictedControllers: GRANT
>>>>
>>>>
>>>> and finally Routes.yaml (in this order):
>>>>
>>>> [...]
>>>> -
>>>> name: 'Backoffice Authentication'
>>>> uriPattern: 'backoffice/login(/{@action})'
>>>> defaults:
>>>> '@package': 'Acme.Demo'
>>>> '@controller': 'Login'
>>>> '@action': 'index'
>>>> '@format': 'html'
>>>>
>>>> -
>>>> name: 'Backoffice Index'
>>>> uriPattern: 'backoffice'
>>>> defaults:
>>>> '@package': 'Acme.Demo'
>>>> '@controller': 'Coffee'
>>>> '@action': 'list'
>>>> '@format': 'html'
>>>>
>>>> [...]
>>>>
>>> Andreas Förthner
>>> Leiter Web-Entwicklung
>>>
>>> Telefon: +49 (911) 539909 - 0
>>> E-Mail: andreas.foerthner at netlogix.de
>>> Website: media.netlogix.de
>>>
>>>
>>> --
>>> netlogix GmbH& Co. KG
>>> IT-Services | IT-Training | Media
>>> Andernacher Straße 53 | 90411 Nürnberg
>>> Telefon: +49 (911) 539909 - 0 | Fax: +49 (911) 539909 - 99
>>> E-Mail: info at netlogix.de | Internet: http://www.netlogix.de
>>>
>>> netlogix GmbH& Co. KG ist eingetragen am Amtsgericht Nürnberg (HRA
>>>13338)
>>> Persönlich haftende Gesellschafterin: netlogix Verwaltungs GmbH (HRB
>>> 20634)
>>> Umsatzsteuer-Identifikationsnummer: DE 233472254
>>> Geschäftsführer: Stefan Buchta, Matthias Schmidt
>>>
>>>
>>>
>>>
Andreas Förthner
Leiter Web-Entwicklung
Telefon: +49 (911) 539909 - 0
E-Mail: andreas.foerthner at netlogix.de
Website: media.netlogix.de
_______________________________________________
>>>> FLOW3-general mailing list
>>>> FLOW3-general at lists.typo3.org
>>>> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow3-general
>>>
>>> _______________________________________________
>>> FLOW3-general mailing list
>>> FLOW3-general at lists.typo3.org
>>> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow3-general
>
>_______________________________________________
>FLOW3-general mailing list
>FLOW3-general at lists.typo3.org
>http://lists.typo3.org/cgi-bin/mailman/listinfo/flow3-general
More information about the FLOW3-general
mailing list