[Flow] You are not allowed to perform this action

Mark Kuiphuis mark at capesso.com.au
Fri Mar 6 07:57:03 CET 2015 

Pfew,

Took me pretty much the whole day to figure this one out.

acls are apparently still used in TYPO3 Flow 2.3.* despite the 
documentation 
http://docs.typo3.org/flow/TYPO3FlowDocumentation/TheDefinitiveGuide/PartIII/Security.html 
telling otherwise:

*****
Note
With version *2.3* of Flow the security framework was subject to a major 
refactoring. In that process the format of the policy configuration was 
adjusted in order to gain flexibility. Amongst others the term resource 
has been renamed to privilege and ACLs are now configured directly with 
the respective role. All changes are covered by code migrations, so make 
sure to run the ./flow core:migrate command when upgrading from a 
previous version.
*****

The problem ultimately was in my Policy.yaml file. Previously I declared 
a method in resources to allow access to everybody when a controller in 
the "Front" subpackage was called (all URL's here don't require an 
authenticated user.

resources:
   methods:
     Vendor_Package_Front: 'method(Vendor\PackageFront\Controller\.*->.*())'

acls:
   Everybody:
     methods:
       Vendor_Package_Front: GRANT

So, while this code is on the live server of one of our clients and 
where it doesn't cause a problem, it suddenly caused problems when doing 
a local deployment to one of our staging servers.

Removing these two lines from the Policy.yaml file solved my problem...
(but I don't really understand why it never caused problems, but does now)

Cheers, Mark

On 6/03/2015 9:36 am, Mark Kuiphuis wrote:
> It looks like I have an outdated Policy.yaml (including ACL's)....
>
> I read here:
> http://docs.typo3.org/flow/TYPO3FlowDocumentation/TheDefinitiveGuide/PartIII/Security.html
> that I could run a ./flow core:migrate but the script tells me that my
> working copy is dirty and therefore no changes are made....
>
> (I'll keep investigating and see how I go)
>
> Cheers, Mark
>
> On 6/03/2015 6:44 am, Mark Kuiphuis wrote:
>> Hi all,
>>
>> I just tried to upgrade our application (deployment with TYPO3.Surf).
>> My composer.json was loading the latest version of TYPO3/Flow 2.3.* so
>> automatically 2.3.2 was downloaded.
>>
>> After the deployment whenever I try to login to our application I get
>> the following error:
>>
>> #1216919280: You are not allowed to perform this action.
>>
>> The full stacktrace does not refer to any of the files in one of our own
>> packages which tends me to believe there is potentially a problem in
>> TYPO3.Flow (but I could be totally wrong).
>>
>> The Exceptions.txt contains the following piece of code:
>>
>> ############
>> Uncaught exception #1216919280 in line 69 of
>> /var/www/applications/client/releases/20150306053852/Data/Temporary/Development/Cache/Code/Flow_Object_Classes/TYPO3_Flow_Security_Authorization_RequestFilter.php:
>>
>> You are not allowed to perform this action.
>>
>> 15
>> TYPO3\Flow\Security\Authorization\Interceptor\AccessDeny_Original::invoke()
>>
>> 14
>> TYPO3\Flow\Security\Authorization\RequestFilter_Original::filterRequest(TYPO3\Flow\Mvc\ActionRequest)
>>
>>
>> 13
>> TYPO3\Flow\Security\Authorization\FilterFirewall_Original::blockIllegalRequests(TYPO3\Flow\Mvc\ActionRequest)
>>
>>
>> 12
>> TYPO3\Flow\Security\Aspect\RequestDispatchingAspect_Original::blockIllegalRequestsAndForwardToAuthenticationEntryPoints(TYPO3\Flow\Aop\JoinPoint)
>>
>>
>> 11 TYPO3\Flow\Aop\Advice\AroundAdvice::invoke(TYPO3\Flow\Aop\JoinPoint)
>> 10 TYPO3\Flow\Aop\Advice\AdviceChain::proceed(TYPO3\Flow\Aop\JoinPoint)
>> 9 TYPO3\Flow\Mvc\Dispatcher::dispatch(TYPO3\Flow\Mvc\ActionRequest,
>> TYPO3\Flow\Http\Response)
>> 8 call_user_func_array(array|2|, array|2|)
>> 7
>> TYPO3\Flow\Object\DependencyInjection\DependencyProxy::__call("dispatch",
>> array|2|)
>>
>> 6
>> TYPO3\Flow\Object\DependencyInjection\DependencyProxy::dispatch(TYPO3\Flow\Mvc\ActionRequest,
>>
>> TYPO3\Flow\Http\Response)
>> 5
>> TYPO3\Flow\Mvc\DispatchComponent_Original::handle(TYPO3\Flow\Http\Component\ComponentContext)
>>
>>
>> 4
>> TYPO3\Flow\Http\Component\ComponentChain_Original::handle(TYPO3\Flow\Http\Component\ComponentContext)
>>
>>
>> 3
>> TYPO3\Flow\Http\Component\ComponentChain_Original::handle(TYPO3\Flow\Http\Component\ComponentContext)
>>
>>
>> 2 TYPO3\Flow\Http\RequestHandler::handleRequest()
>> 1 TYPO3\Flow\Core\Bootstrap::run()
>> ############
>>
>> After searching for this error code I changed the
>> TYPO3.Flow.security.enable from TRUE to FALSE. Flushed the cache, warmed
>> up the cache and now it allows me to login. But since we don't only use
>> authentication, but also authorization (certain users don't have access
>> to certain parts of the application) they now suddenly do, because of
>> the FALSE value for TYPO3.Flow.security.enable
>>
>> Then my thought was that my Policy.yaml could potentially contain a bug,
>> however running the command: ./flow configuration:show Policy (to make
>> sure my rules which are defined in one package) did reveal all entries
>> from our Policy.yaml
>>
>> Then the command: ./flow configuration:validate Policy returned that the
>> Policy was valid.
>>
>> Then I redid the deployment, but now set the TYPO3 Flow version back to
>> 2.3.1 in the composer.json and ran another deployment. Now the same
>> error also appears on 2.3.1. (never did that before)
>>
>> Any ideas?
>>
>> The website runs on a Debian 7.8. machine with PHP Version:
>> 5.4.38-1~dotdeb.1
>>
>> Thanks in advance,
>>
>> Mark Kuiphuis
>

More information about the Flow mailing list