[FLOW3-general] Security: You are not allowed to perform this action

Thu May 12 10:43:30 CEST 2011

Hi Julian,

which version of FLOW3 are you using? Current trunk might not work, but
there is an open change that should fix this:
https://review.typo3.org/#change,1983

Hope this helps.

Greets Andi

Am 11.05.11 21:00 schrieb "Julian Kleinhans" unter <typo3 at kj187.de>:

>Hi Andreas,
>
>thanks for this hint.. but, i wont disable this nice feature :-)
>What i must do that it work ?
>
>You write
>
>> Therefore, FLOW3 will add this token automatically for you. To make it
>>short, in fact you don¹t have to do anything to be CSRF save.
>
>
>After a successfull login i do that
>
>> $this->redirect($action, ($controller ? $controller : 'Admin\Admin'));
>
>But i miss the token after the redirect.. therefore, i became this CSRF
>protection message.
>
>And regardless of the redirect, if iam successfull authentificated, all
>protected links, which i render with FLUID, are also without a token.
>
>What can i do ?
>
>greetz
>julian
>
>
>
>
>
>
>
>
>
>Am 11.05.11 09:44, schrieb Andreas Förthner:
>> Hi Julian,
>>
>> CSRF protection got you ;-) You probably want to add @skipCsrfProtection
>> annotations to those restricted controller actions, that are just
>> displaying and not modifying data. I've written a blog post about this
>>new
>> feature, maybe this makes it a bit more clear what to do:
>>
>>http://media.netlogix.de/community/details/artikel/csrf-protection-in-typ
>>o3
>> -phoenix-kindly-provided-by-flow3
>>
>> Greets
>>
>>
>> Am 10.05.11 22:27 schrieb "Julian Kleinhans" unter<typo3 at kj187.de>:
>>
>>> Hey list..
>>>
>>> with the latest master i get a strange exception..
>>> I create a new user with
>>>
>>>
>>>> $account = $this->accountFactory->createAccountWithPassword('jk',
>>> 'jk', array('Administrator'));
>>>> $this->accountRepository->add($account);
>>>
>>>
>>> injections
>>>
>>>>      /**
>>>>       * @inject
>>>>       * @var \F3\FLOW3\Security\AccountRepository
>>>>       */
>>>>      protected $accountRepository;
>>>>
>>>>      /**
>>>>       * @inject
>>>>       * @var \F3\FLOW3\Security\AccountFactory
>>>>       */
>>>>      protected $accountFactory;
>>>
>>>
>>> my Policy.yaml looks like
>>>
>>>> resources:
>>>>    methods:
>>>>      F3_Tutorials_RestrictedAdminArea:
>>> 'class(F3\Tutorials\Controller\Admin\.*)'
>>>> roles:
>>>>    Administrator: []
>>>> acls:
>>>>    Administrator:
>>>>      methods:
>>>>        F3_Tutorials_RestrictedAdminArea: GRANT
>>>>        F3_Tutorials_RestrictedDashbaord: GRANT
>>>>        F3_Tutorials_Comments: GRANT
>>>
>>>
>>> an when i try to login i get this Exception
>>>
>>>> #1216919280: You are not allowed to perform this action. (More
>>> information)
>>>>
>>>> F3\FLOW3\Security\Exception\AccessDeniedException thrown in file
>>>>
>>>
>>>/data/htdocs/privat/tutorials3/flow3/FLOW3/Data/Temporary/Development/Ca
>>>ch
>>>
>>>e/Code/FLOW3_Object_Classes/F3_FLOW3_Security_Authorization_Interceptor_
>>>Ac
>>> cessDeny_Original.php
>>> in line 41.
>>>
>>>
>>> Some ideas ?
>>>
>>> greetz
>>> julian
>>>
>>>
>> Andreas Förthner
>> Leiter Web-Entwicklung
>>
>> Telefon: +49 (911) 539909 - 0
>> E-Mail: andreas.foerthner at netlogix.de
>> Website: media.netlogix.de
>>
>>
>> --
>> netlogix GmbH&  Co. KG
>> IT-Services | IT-Training | Media
>> Andernacher Straße 53 | 90411 Nürnberg
>> Telefon: +49 (911) 539909 - 0 | Fax: +49 (911) 539909 - 99
>> E-Mail: info at netlogix.de | Internet: http://www.netlogix.de
>>
>> netlogix GmbH&  Co. KG ist eingetragen am Amtsgericht Nürnberg (HRA
>>13338)
>> Persönlich haftende Gesellschafterin: netlogix Verwaltungs GmbH (HRB
>>20634)
>> Umsatzsteuer-Identifikationsnummer: DE 233472254
>> Geschäftsführer: Stefan Buchta, Matthias Schmidt
>>
>>
>>
>>
Andreas Förthner
Leiter Web-Entwicklung

Telefon: +49 (911) 539909 - 0
E-Mail: andreas.foerthner at netlogix.de
Website: media.netlogix.de
_______________________________________________
>>> FLOW3-general mailing list
>>> FLOW3-general at lists.typo3.org
>>> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow3-general
>>
>
>_______________________________________________
>FLOW3-general mailing list
>FLOW3-general at lists.typo3.org
>http://lists.typo3.org/cgi-bin/mailman/listinfo/flow3-general