[FLOW3-general] How to secure a controller?
Christian Müller
christian.mueller at typo3.org
Fri Jan 11 10:23:13 CET 2013
Hi Axel,
On 11/01/13 09:21, Qbus | Axel Wüstemann wrote:
> Thank you Steffen,
>
> of course I read the documentation. Mayby the authors could decide to
> illustrate at firts the most simple solution case and go then further
> to all possible details... so the documentation might become more
> understandable.
Yes documentation could always get better, we are happy about any help ;)
> What you wrote was a bit my assumtion, that this could be the
> solution. But by this, my security depends on the existence of the
> policy.yaml file! Why then encrypted passwords in the database an all
> that stuff, if it would be enough to drop the policy.yaml to kick off
> all my security stuff?
If someone has access to your files you are in trouble anyway... They
are outside of the webroot if the setup is as we point out in documentation.
>
> ----
>
> 'method(Vendor\Package\Controller\StandardController->.*Action())'
>
> What does this realy mean?
It is a pointcut expression (see AOP chapter of the manual) matching
methods (you can use regular expression syntax there).
>
> Do I need write this for each controller? All of my controller are
> behind of the login. Is there a or simple solution?
You can do something like:
'method(Vendor\Package\Controller\.*->.*Action())'
All Controllers, all actions in Vendor.Package. Make sure to split off
your login controller... Also note that any resource (that is method in
this case) that matches the expression will automatically be protected,
so you need to GRANT access for roles to it. An explicit DENY is
normally not needed. Just remember a defined resource is implicitly
denied for all unless you GRANT. An explicit DENY will override any GRANT.
Cheers,
Christian
More information about the Flow
mailing list