[Flow] Deny access by policy not working

Frans Saris franssaris at gmail.com
Wed Jun 26 09:04:16 CEST 2013 

Hi,

still same problem. Tested it with a policy without wildcard (TestPolicy:
'method(\Beech\Task\TaskController->NewAction())') but no luck.

I debugged a little and found that
TYPO3\Flow\Security\Policy\PolicyService\matches() is never called.
Can not find anything in the reflected source where this should be called.
Added some debug output in every place where a ->matches($targetClassName,
$methodName, $methodDeclaringClassName, $pointcutQueryIdentifier) method is
called but it looks it's never called.

Is it posible the policy aspect isn't added correctly in the reflection?

gr. Frans



2013/6/22 Mario Beiser <mariobeiser at googlemail.com>

> Dear Christian,
>
> thanks for explanation. Unfortunately, I can not report success.
> I tried out your suggestions, without any changes.
>
> I pulled master again to double check.
>
> @Frans:
> Can you second that? No changes with Christian's recommended changes?
>
>
> 2013/6/22 Christian Müller <christian.mueller at typo3.org>
>
> > Hey both of you,
> >
> > I can at least say it should work with master...
> >
> >
> >
> >> Someone any hints how to debug this?
> >>
> >
> >  Here is again my policy:
> >>> ------------------------------**----------------------
> >>> resources:
> >>>    methods:
> >>>      RestrictedArea:
> >>> 'method(My\Package\Controller\**CalculateController->*())'
> >>>
> >>
> > This at least is wrong, you should understand it similar to a regular
> > expression not a filesystem glob, so:
> >
> > 'method(My\Package\Controller\**CalculateController->.*())'
> >
> > Would target all methods in the CalculateController (notice the . before
> > *), what you really want to do for controllers is target only Actions ->
> >
> > 'method(My\Package\Controller\**CalculateController->.*Action(**))'
> >
> > Try that and lets see if it helps.
> >
> > The Security log in Data/Logs should also give you some insights...
> >
> > And one additional remark, you rarely should have to DENY a resource,
> > because any defined resource that is not explicitly GRANTed will result
> in
> > an implicit deny anyway. You only need to DENY if you want to overrule a
> > GRANT and you should try to avoid DENY as much as possible as a DENY
> cannot
> > be overruled anymore.
> >
> > Cheers,
> > Christian
> >
> > ______________________________**_________________
> > Flow mailing list
> > Flow at lists.typo3.org
> > http://lists.typo3.org/cgi-**bin/mailman/listinfo/flow<
> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow>
> >
>
>
>
> --
> ----------------
> Mario Beiser
> 5, Allèe Francois Mitterand
> F-67400 Illkirch-Graffenstaden
>
> email: mariobeiser at googlemail.com
> mobile: 0049 170 2469488
> _______________________________________________
> Flow mailing list
> Flow at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow
>

More information about the Flow mailing list