[Flow] Deny access by policy not working

Frans Saris franssaris at gmail.com
Wed Jun 26 13:23:53 CEST 2013 

Hi,

with some help from the flow IRC I found one of my problems. The defined
method wasn't ok. Make sure the given method matches a class+method. And
leave out the first backslash.

TestPolicy:
'method(\Beech\Task\TaskController->NewAction())' => TestPolicy:
'method(Beech\Task\TaskController->newAction())'

Next problem on my list; I defined some rules for Anonymous but this fails
because Flow forces the user to authenticate...
Do I have to/can I automatically authenticate every user as Anonymous?

gr. Frans



2013/6/26 Frans Saris <franssaris at gmail.com>

> Hi,
>
> still same problem. Tested it with a policy without wildcard (TestPolicy:
> 'method(\Beech\Task\TaskController->NewAction())') but no luck.
>
> I debugged a little and found that
> TYPO3\Flow\Security\Policy\PolicyService\matches() is never called.
> Can not find anything in the reflected source where this should be called.
> Added some debug output in every place where a ->matches($targetClassName,
> $methodName, $methodDeclaringClassName, $pointcutQueryIdentifier) method is
> called but it looks it's never called.
>
> Is it posible the policy aspect isn't added correctly in the reflection?
>
> gr. Frans
>
>
>
> 2013/6/22 Mario Beiser <mariobeiser at googlemail.com>
>
> > Dear Christian,
> >
> > thanks for explanation. Unfortunately, I can not report success.
> > I tried out your suggestions, without any changes.
> >
> > I pulled master again to double check.
> >
> > @Frans:
> > Can you second that? No changes with Christian's recommended changes?
> >
> >
> > 2013/6/22 Christian Müller <christian.mueller at typo3.org>
> >
> > > Hey both of you,
> > >
> > > I can at least say it should work with master...
> > >
> > >
> > >
> > >> Someone any hints how to debug this?
> > >>
> > >
> > >  Here is again my policy:
> > >>> ------------------------------**----------------------
> > >>> resources:
> > >>>    methods:
> > >>>      RestrictedArea:
> > >>> 'method(My\Package\Controller\**CalculateController->*())'
> > >>>
> > >>
> > > This at least is wrong, you should understand it similar to a regular
> > > expression not a filesystem glob, so:
> > >
> > > 'method(My\Package\Controller\**CalculateController->.*())'
> > >
> > > Would target all methods in the CalculateController (notice the .
> before
> > > *), what you really want to do for controllers is target only Actions
> ->
> > >
> > > 'method(My\Package\Controller\**CalculateController->.*Action(**))'
> > >
> > > Try that and lets see if it helps.
> > >
> > > The Security log in Data/Logs should also give you some insights...
> > >
> > > And one additional remark, you rarely should have to DENY a resource,
> > > because any defined resource that is not explicitly GRANTed will result
> > in
> > > an implicit deny anyway. You only need to DENY if you want to overrule
> a
> > > GRANT and you should try to avoid DENY as much as possible as a DENY
> > cannot
> > > be overruled anymore.
> > >
> > > Cheers,
> > > Christian
> > >
> > > ______________________________**_________________
> > > Flow mailing list
> > > Flow at lists.typo3.org
> > > http://lists.typo3.org/cgi-**bin/mailman/listinfo/flow<
> > http://lists.typo3.org/cgi-bin/mailman/listinfo/flow>
> > >
> >
> >
> >
> > --
> > ----------------
> > Mario Beiser
> > 5, Allèe Francois Mitterand
> > F-67400 Illkirch-Graffenstaden
> >
> > email: mariobeiser at googlemail.com
> > mobile: 0049 170 2469488
> > _______________________________________________
> > Flow mailing list
> > Flow at lists.typo3.org
> > http://lists.typo3.org/cgi-bin/mailman/listinfo/flow
> >
> _______________________________________________
> Flow mailing list
> Flow at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow
>

More information about the Flow mailing list