[FLOW3-general] Modify role dependent Access Denied message

Wed Nov 2 09:12:37 CET 2011

Hi Andi,

I would agree to you in using AOP for a finer access granulation (if you 
need full flexibility). From my point of view it would be more intuitive 
if I could manage most of my policies inside Policy.yaml. So, if we 
don't want to code role-based access methods with AOP, it should be 
possible to extend the ACLs with policies, related to the userrole. And 
in the case of an denial I'd like to redirect to a separate view, 
showing a message that the users role denys access to the selected 
functionality. To build userspecific views, with disabled buttons and 
links as you suggested, would move access-logic to an additional place 
(the view) we have to care about. While building the view I'd like to 
know if the user has access to different elements/methods and not only 
in general (it's not enough to know to which role the user belongs to). 
Then it would be easier to show up user specific views (would be nice to 
have viewhelpers for elements like buttons and links which would be 
rendered automatically as disabled in the case of an access deny).

Maybe I'm missing some conceptual thoughts?

Greetings Bernhard

On 10/31/2011 10:26 AM, Andreas Förthner wrote:
> Hi,
>
> I think AOP would be the fastest way to go here, indeed. But in fact there
> was a reason why this message is that short. It was originally intended to
> be the last resort and not meant to be shown in usual access denied cases.
> What I thought here was, that you modify your views according to the
> current situation, i.e. you never see a link to some restricted resource,
> or at least those links will trigger authentication and call an
> authentication entry point. However, if you have good use cases, why we
> would need a nice access denied view, we could add this simply as a
> feature for FLOW3 1.1.
>
> Looking forward to your responses.
>
> Greets Andi
>
> Am 26.10.11 23:20 schrieb "Peter Russ" unter<peter.russ at 4many.net>:
>
>> --- Original Nachricht ---
>> Absender:   Bernhard Fischer
>> Datum:       26.10.2011 10:48:
>>>>> Hi all,
>>>>>
>>>>> i always get the expressionless "Access Denied!" message if a method,
>>>>> based on it's role, will be denied. What's the right way to inject a
>>>>> customized view to inform the already logged in user, that he does not
>>>>> have enough rights to use this method or action?
>>>>>
>>>>> Anyone out there to make a proposal?
>>>>>
>>>>> Bernhard
>>>>
>>>> I would try to add an aspect around
>>>>
>>>> \TYPO3\FLOW3\Security\Aspect\setAccessDeniedResponseHeader->setAccessDen
>>>> iedResponseHeader
>>>>
>>>>
>>> I also had the awful feeling that this might be the proper way. I will
>>> have a closer look on AOP.
>>
>> awful? AOP is the right way to go!
>>
>> --
>> Fiat lux! Docendo discimus.
>>
> Andreas Förthner
> Leiter Web-Entwicklung
>
> Telefon: +49 (911) 539909 - 0
> E-Mail: andreas.foerthner at netlogix.de
> Website: media.netlogix.de
>
>
> --
> netlogix GmbH&  Co. KG
> IT-Services | IT-Training | Media
> Andernacher Straße 53 | 90411 Nürnberg
> Telefon: +49 (911) 539909 - 0 | Fax: +49 (911) 539909 - 99
> E-Mail: info at netlogix.de | Internet: http://www.netlogix.de
>
> netlogix GmbH&  Co. KG ist eingetragen am Amtsgericht Nürnberg (HRA 13338)
> Persönlich haftende Gesellschafterin: netlogix Verwaltungs GmbH (HRB 20634)
> Umsatzsteuer-Identifikationsnummer: DE 233472254
> Geschäftsführer: Stefan Buchta, Matthias Schmidt
>
>
>
> _____________________________
>> uon GbR
>>
>> http://www.uon.li
>> http://www.xing.com/profile/Peter_Russ