[FLOW3-general] How to secure a controller?

[Bastian Waidelich]

Qbus | Axel Wüstemann wrote:

Hi Axel,

>>>> 'method(Your\Package\Controller\(Foo|Bar)Controller->(?<!initialize).*Action())'

>> This expands to:
>> All methods in \Your\Package\Controller\FooController *or*
>> \Your\Package\Controller\BarController that end on *Action* and don't
>> start with *initialize*.

> This I understood... and I read the AOP Doc! ;=) But all this is compex
> stuff an I'm just starting with Flow.

No need to apologize!

I don't really get your question though. What exactly is not clear?
"Foo" and "Bar" are usually used as placeholders. Let's make it more 
concrete:

Imagine you have a "ProductController" and a "CategoryController" and 
you want to make sure that only logged in users are allowed to call 
actions of those.

With:


resources:
   methods:
     'Product_Actions': 
'method(Your\Package\Controller\ProductController->(?<!initialize).*Action())'
     'Category_Actions': 
'method(Your\Package\Controller\CategoryController->(?<!initialize).*Action())' 


You create two resources "Product_Actions" and "Category_Actions".
As soon as there exist at least one resource for a method, this method 
is *not allowed* to be called by default.

You can then change that in the ACL section of you Policy.yaml:

acls:
   'Administrator':
     methods:
       Product_Actions: GRANT
       Category_Actions: GRANT

Now logged in users with the role "Administrator" are allowed to invoke 
the product & category actions.

Instead of creating one resource for each controller you can combine the 
above to:


resources:
   methods:
     Product_Actions: 
'method(Your\Package\Controller\(Product|Category)Controller->(?<!initialize).*Action())'

Now the resource "Product_Actions" matches all actions of the product 
*and* the category controller.

I hope that made it clearer to you!?

-- 
Bastian Waidelich
--
Core Developer Team

TYPO3 .... inspiring people to share!
Get involved: typo3.org