[FLOW3-general] Security: You are not allowed to perform this action
Julian Kleinhans
typo3 at kj187.de
Wed May 11 21:00:16 CEST 2011
Hi Andreas,
thanks for this hint.. but, i wont disable this nice feature :-)
What i must do that it work ?
You write
> Therefore, FLOW3 will add this token automatically for you. To make it short, in fact you don’t have to do anything to be CSRF save.
After a successfull login i do that
> $this->redirect($action, ($controller ? $controller : 'Admin\Admin'));
But i miss the token after the redirect.. therefore, i became this CSRF
protection message.
And regardless of the redirect, if iam successfull authentificated, all
protected links, which i render with FLUID, are also without a token.
What can i do ?
greetz
julian
Am 11.05.11 09:44, schrieb Andreas Förthner:
> Hi Julian,
>
> CSRF protection got you ;-) You probably want to add @skipCsrfProtection
> annotations to those restricted controller actions, that are just
> displaying and not modifying data. I've written a blog post about this new
> feature, maybe this makes it a bit more clear what to do:
> http://media.netlogix.de/community/details/artikel/csrf-protection-in-typo3
> -phoenix-kindly-provided-by-flow3
>
> Greets
>
>
> Am 10.05.11 22:27 schrieb "Julian Kleinhans" unter<typo3 at kj187.de>:
>
>> Hey list..
>>
>> with the latest master i get a strange exception..
>> I create a new user with
>>
>>
>>> $account = $this->accountFactory->createAccountWithPassword('jk',
>> 'jk', array('Administrator'));
>>> $this->accountRepository->add($account);
>>
>>
>> injections
>>
>>> /**
>>> * @inject
>>> * @var \F3\FLOW3\Security\AccountRepository
>>> */
>>> protected $accountRepository;
>>>
>>> /**
>>> * @inject
>>> * @var \F3\FLOW3\Security\AccountFactory
>>> */
>>> protected $accountFactory;
>>
>>
>> my Policy.yaml looks like
>>
>>> resources:
>>> methods:
>>> F3_Tutorials_RestrictedAdminArea:
>> 'class(F3\Tutorials\Controller\Admin\.*)'
>>> roles:
>>> Administrator: []
>>> acls:
>>> Administrator:
>>> methods:
>>> F3_Tutorials_RestrictedAdminArea: GRANT
>>> F3_Tutorials_RestrictedDashbaord: GRANT
>>> F3_Tutorials_Comments: GRANT
>>
>>
>> an when i try to login i get this Exception
>>
>>> #1216919280: You are not allowed to perform this action. (More
>> information)
>>>
>>> F3\FLOW3\Security\Exception\AccessDeniedException thrown in file
>>>
>> /data/htdocs/privat/tutorials3/flow3/FLOW3/Data/Temporary/Development/Cach
>> e/Code/FLOW3_Object_Classes/F3_FLOW3_Security_Authorization_Interceptor_Ac
>> cessDeny_Original.php
>> in line 41.
>>
>>
>> Some ideas ?
>>
>> greetz
>> julian
>>
>>
> Andreas Förthner
> Leiter Web-Entwicklung
>
> Telefon: +49 (911) 539909 - 0
> E-Mail: andreas.foerthner at netlogix.de
> Website: media.netlogix.de
>
>
> --
> netlogix GmbH& Co. KG
> IT-Services | IT-Training | Media
> Andernacher Straße 53 | 90411 Nürnberg
> Telefon: +49 (911) 539909 - 0 | Fax: +49 (911) 539909 - 99
> E-Mail: info at netlogix.de | Internet: http://www.netlogix.de
>
> netlogix GmbH& Co. KG ist eingetragen am Amtsgericht Nürnberg (HRA 13338)
> Persönlich haftende Gesellschafterin: netlogix Verwaltungs GmbH (HRB 20634)
> Umsatzsteuer-Identifikationsnummer: DE 233472254
> Geschäftsführer: Stefan Buchta, Matthias Schmidt
>
>
>
> _______________________________________________
>> FLOW3-general mailing list
>> FLOW3-general at lists.typo3.org
>> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow3-general
>
More information about the FLOW3-general
mailing list