[Flow] Strange Issues with sessions and ACLs
Christian Müller
christian.mueller at typo3.org
Thu Sep 26 13:01:41 CEST 2013
Hi Christian,
thanks for looking so far into that. Next week will be a code sprint
with all of us sitting together, I will bring this topic on to the
security guys lets see if we can find a solution as that would indeed be
a rather big bug.
Christian
Christian Loock wrote:
> So for thos curious: it seems like there is a bug we couldnt determine
> further in the current development head of flow. After changing back to
> 2.0, everything works again.
>
> Am 19.09.2013 11:43, schrieb Frans Saris:
>> Hi,
>>
>> My expirence is that Anonynous does not work. You have to exclude the
>> controller functions from the permission checks.
>>
>> Search the mailinglist archive for some more info and examples
>>
>> Gr. Frans
>> Op 19 sep. 2013 10:10 schreef "Christian Loock" <chl at vkf-renzel.de> het
>> volgende:
>>
>>> Hello fellow Flowers,
>>>
>>> I have encountered some unexpected behaviour when trying to create a
>>> Controller that should not be guarded by Flows Security Framework.
>>>
>>> I created a controller that should be viewable by everybody. I added
>>> it to
>>> the Policy.yaml of my package as follows:
>>>
>>> resources:
>>> methods:
>>> VKF.Admin.UploadController: 'method(VKF\Admin\Controller\**
>>> UploadController->.*())'
>>>
>>> acls:
>>> Anonymous:
>>> methods:
>>> VKF.Admin.UploadController: GRANT
>>> Everybody:
>>> methods:
>>> VKF.Admin.UploadController: GRANT
>>>
>>>
>>> However, whenever I try to call the controller I get redirected to the
>>> login action of my auth controller. I am not logged in. What is even
>>> more
>>> strange, is the error I get after I got redirected:
>>>
>>> #1: Notice: unserialize() [<a
>>> href='function.unserialize'>**function.unserialize</a>]:
>>> Error at offset 5337 of 5396 bytes in /home/www/flow_vkf_search_chl/**
>>> Packages/Framework/TYPO3.Flow/**Classes/TYPO3/Flow/Cache/**Frontend/VariableFrontend.php
>>>
>>> line 86
>>>
>>> To get rid of this error, I need to delete my Session cookie.
>>>
>>> The cookie is created, when I call my controller.
>>>
>>> Here is also a message from my Security.log
>>>
>>> 13-09-19 10:07:00 60744 10.2.0.14 NOTICE Flow
>>> Authentication failed: "Could not authenticate any token. Might be
>>> missing
>>> or wrong credentials or no authentication provider matched." #1222204027
>>> 13-09-19 10:07:00 60744 10.2.0.14 NOTICE Flow
>>> Authentication failed: "Could not authenticate any token. Might be
>>> missing
>>> or wrong credentials or no authentication provider matched." #1222204027
>>> 13-09-19 10:07:00 60744 10.2.0.14 INFO Flow
>>> Redirecting to authentication entry point with URI - undefined -
>>>
>>> In the docs it is stated as follows:
>>>
>>> TYPO3 Flow will always add the magic Everybody role, which you don't
>>> have
>>> to configure yourself. This role will also be present, if no account is
>>> authenticated.
>>>
>>> So, I dont really understand why I am redirected to the login, even
>>> though
>>> i granted the controller to everybody....
>>>
>>>
>>> Any ideas what I could have done wrong here?
>>>
>>>
>>> ______________________________**_________________
>>> Flow mailing list
>>> Flow at lists.typo3.org
>>> http://lists.typo3.org/cgi-**bin/mailman/listinfo/flow<http://lists.typo3.org/cgi-bin/mailman/listinfo/flow>
>>>
>>>
>> _______________________________________________
>> Flow mailing list
>> Flow at lists.typo3.org
>> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow
>
More information about the Flow
mailing list