[FLOW3-general] Security: You are not allowed to perform this action
Julian Kleinhans
kleinhans at bergisch-media.de
Thu May 12 11:34:06 CEST 2011
Hi Andreas,
ah ok.. i use the latest trunk ;-)
I will test the bugfix
thanks for the hint
greetz
julian
Am 12.05.11 10:43, schrieb Andreas Förthner:
> Hi Julian,
>
> which version of FLOW3 are you using? Current trunk might not work, but
> there is an open change that should fix this:
> https://review.typo3.org/#change,1983
>
> Hope this helps.
>
> Greets Andi
>
>
> Am 11.05.11 21:00 schrieb "Julian Kleinhans" unter<typo3 at kj187.de>:
>
>> Hi Andreas,
>>
>> thanks for this hint.. but, i wont disable this nice feature :-)
>> What i must do that it work ?
>>
>> You write
>>
>>> Therefore, FLOW3 will add this token automatically for you. To make it
>>> short, in fact you don¹t have to do anything to be CSRF save.
>>
>>
>> After a successfull login i do that
>>
>>> $this->redirect($action, ($controller ? $controller : 'Admin\Admin'));
>>
>> But i miss the token after the redirect.. therefore, i became this CSRF
>> protection message.
>>
>> And regardless of the redirect, if iam successfull authentificated, all
>> protected links, which i render with FLUID, are also without a token.
>>
>> What can i do ?
>>
>> greetz
>> julian
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Am 11.05.11 09:44, schrieb Andreas Förthner:
>>> Hi Julian,
>>>
>>> CSRF protection got you ;-) You probably want to add @skipCsrfProtection
>>> annotations to those restricted controller actions, that are just
>>> displaying and not modifying data. I've written a blog post about this
>>> new
>>> feature, maybe this makes it a bit more clear what to do:
>>>
>>> http://media.netlogix.de/community/details/artikel/csrf-protection-in-typ
>>> o3
>>> -phoenix-kindly-provided-by-flow3
>>>
>>> Greets
>>>
>>>
>>> Am 10.05.11 22:27 schrieb "Julian Kleinhans" unter<typo3 at kj187.de>:
>>>
>>>> Hey list..
>>>>
>>>> with the latest master i get a strange exception..
>>>> I create a new user with
>>>>
>>>>
>>>>> $account = $this->accountFactory->createAccountWithPassword('jk',
>>>> 'jk', array('Administrator'));
>>>>> $this->accountRepository->add($account);
>>>>
>>>>
>>>> injections
>>>>
>>>>> /**
>>>>> * @inject
>>>>> * @var \F3\FLOW3\Security\AccountRepository
>>>>> */
>>>>> protected $accountRepository;
>>>>>
>>>>> /**
>>>>> * @inject
>>>>> * @var \F3\FLOW3\Security\AccountFactory
>>>>> */
>>>>> protected $accountFactory;
>>>>
>>>>
>>>> my Policy.yaml looks like
>>>>
>>>>> resources:
>>>>> methods:
>>>>> F3_Tutorials_RestrictedAdminArea:
>>>> 'class(F3\Tutorials\Controller\Admin\.*)'
>>>>> roles:
>>>>> Administrator: []
>>>>> acls:
>>>>> Administrator:
>>>>> methods:
>>>>> F3_Tutorials_RestrictedAdminArea: GRANT
>>>>> F3_Tutorials_RestrictedDashbaord: GRANT
>>>>> F3_Tutorials_Comments: GRANT
>>>>
>>>>
>>>> an when i try to login i get this Exception
>>>>
>>>>> #1216919280: You are not allowed to perform this action. (More
>>>> information)
>>>>>
>>>>> F3\FLOW3\Security\Exception\AccessDeniedException thrown in file
>>>>>
>>>>
>>>> /data/htdocs/privat/tutorials3/flow3/FLOW3/Data/Temporary/Development/Ca
>>>> ch
>>>>
>>>> e/Code/FLOW3_Object_Classes/F3_FLOW3_Security_Authorization_Interceptor_
>>>> Ac
>>>> cessDeny_Original.php
>>>> in line 41.
>>>>
>>>>
>>>> Some ideas ?
>>>>
>>>> greetz
>>>> julian
>>>>
>>>>
>>> Andreas Förthner
>>> Leiter Web-Entwicklung
>>>
>>> Telefon: +49 (911) 539909 - 0
>>> E-Mail: andreas.foerthner at netlogix.de
>>> Website: media.netlogix.de
>>>
>>>
>>> --
>>> netlogix GmbH& Co. KG
>>> IT-Services | IT-Training | Media
>>> Andernacher Straße 53 | 90411 Nürnberg
>>> Telefon: +49 (911) 539909 - 0 | Fax: +49 (911) 539909 - 99
>>> E-Mail: info at netlogix.de | Internet: http://www.netlogix.de
>>>
>>> netlogix GmbH& Co. KG ist eingetragen am Amtsgericht Nürnberg (HRA
>>> 13338)
>>> Persönlich haftende Gesellschafterin: netlogix Verwaltungs GmbH (HRB
>>> 20634)
>>> Umsatzsteuer-Identifikationsnummer: DE 233472254
>>> Geschäftsführer: Stefan Buchta, Matthias Schmidt
>>>
>>>
>>>
>>>
> Andreas Förthner
> Leiter Web-Entwicklung
>
> Telefon: +49 (911) 539909 - 0
> E-Mail: andreas.foerthner at netlogix.de
> Website: media.netlogix.de
> _______________________________________________
>>>> FLOW3-general mailing list
>>>> FLOW3-general at lists.typo3.org
>>>> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow3-general
>>>
>>
>> _______________________________________________
>> FLOW3-general mailing list
>> FLOW3-general at lists.typo3.org
>> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow3-general
>
More information about the FLOW3-general
mailing list