[Flow] The confusing policy role stuff

Aimo Kuenkel mail at aimo.cc
Tue Feb 11 21:52:55 CET 2014 

Hi Jan,

First of all: make everything that should be protected a resource.
E.g.

resources:
  methods:
    'Foo': 'method(Vendor\Package\Controller\CoffeeBeanController->(index|show)Action())'
    'Bar': 'method(Vendor\Package\Controller\CoffeeBeanController->(new|create|edit|update|delete)Action())'

This will be enough the prevent not-logged-in-users from calling it.
If not, you have a typo or some other misconfiguration!

Then, as you already noted, there's two types of persons allowed to access something:

roles:
  DefaultUser: []
  AdvancedUser: ['User']

Watch out for indentation -> two spaces ist the only allowed indentation - nothing else!

Wire users and resources via the ACLs

acls:
  ' DefaultUser ':
    methods:
      'Foo':       GRANT
  ' AdvancedUser ':
    methods:
      'Bar':    GRANT

There's two more things:
1) don't secure the logout action! If you secure the logout action and some not logged in user calls it, it might redirect the user to the login form. If he then logs in, he might be redirected back to the logout action (because that's where he came from), and then... well...
2) you say "The create and update Actions are called by the Controller". Either it's just not an action, or the controller won't call it himself, OR i really didn't get your usecase.

Greetings,

Aimo

-----Ursprüngliche Nachricht-----
Von: flow-bounces at lists.typo3.org [mailto:flow-bounces at lists.typo3.org] Im Auftrag von Jan Greth
Gesendet: Dienstag, 11. Februar 2014 21:35
An: flow at lists.typo3.org
Betreff: [Flow] The confusing policy role stuff

Hi at all,

I'm a bit confused about the whole roles, resources and acls stuff.

Let's say I have the example CoffeeBean Controller with index, show, new, create, edit, update and delete action.

I also have a simple Login Controller with index, authenticate, register, create and logout action. The login stuff works fine but now i'm wondering about the folllowing things:

Also if i'm not logged in, i can call all(!) actions from all Controllers without any problem. How can i fix it?
There should be two groups of Users, so my section of Policy.yaml will look like this:

roles:
   User: []
     Advanced: ['User']

A non logged in Person should only be able to call the register and index action from the LoginController (authenticate and create is called by the Controller itself and logout should only be called by logged in
Person)

User(s) should be able to call the index and show action of the CoffeeBeanController.
Advanced(Users) should be able to use all User actions and additional be able to use new, edit and delete Actions. (The create and update Actions are called by the Controller)

So: How would you set up the
resources:
   methods:
     ...

and

acls:
   User:
     methods:
   Advanced:
     methods:

Section of the Policy.yaml file? In general: What do I have to do to secure my Application, so that nothing but the Login methods can be called? Is there any Tutorial except the Documentation. This is quite confusing... :(

I would be glad if anyone could give me an example.

So long, a nice evening and good night,
Jan
_______________________________________________
Flow mailing list
Flow at lists.typo3.org
http://lists.typo3.org/cgi-bin/mailman/listinfo/flow

More information about the Flow mailing list