[FLOW3-general] How to secure a controller?

[John Small]

Hello,

don't put the Logincontroller in the resources because then you actually 
need to be logged in to access it !
Everything mentioned in the resources is blocked by default.



Am 13.01.2013 12:10, schrieb Qbus | Axel Wüstemann:
> Thank you Steffen. Unfortunately your proposal ends up with
> Fehler 310 (net::ERR_TOO_MANY_REDIRECTS): Zu viele Umleitungen.
> While the first proposal works...
>>
>> But as mentioned in the documentation, the prefered way is to use the
>> Policy.yaml. There are no security concerns about it as its not
>> accessable through the browser and can't be modified by another user.
>> So you should have a look in the AOP part of the documentation. There is
>> an excellent explanation of the pointcut syntax which is used by
>> Policy.yaml to define method calls. To achieve your desired security
>> level you just have to define only two resources and two acls as follows
>> (as well not tested by me):
>>
>> resources:
>>    entities: []
>>    methods:
>>      Login: 
>> 'method(VENDOR\PACKAGE\Controller\LoginController->.*Action())'
>>      SecuredArea: 'method(VENDOR\PACKAGE\Controller\.*->.*Action())'
>>
>> roles:
>>    Administrator: []
>>
>> acls:
>>    Everybody:
>>      methods:
>>        Login: GRANT
>>
>>    Administrator:
>>      methods:
>>        SecuredArea: GRANT
>>
>>
>> So everybody is allowed to perform actions on your LoginController
>> action methods (named "Login" in resource part) but the access to all
>> other controller calls (defined as SecuredArea) without authentication
>> (and without Administrator role) would be restricted. Don't worry about
>> the "missing" Login definition for Administrator role, its inherited
>> from the Everybody role.
>>
>> Greetings
>> Steffen
>>
>>
>>

>>>>> -- 
>>>>> kind regards