Feature #29907

Redirect to /login instead of raising a "Entity not found." exception if the userdata of an active session has been deleted

Added by Martin Brüggemann almost 4 years ago. Updated almost 2 years ago.

Status:Resolved Start date:2011-09-16
Priority:Must have Due date:
Assigned To:Karsten Dambekalns % Done:

100%
Category:Security
Target version:TYPO3 Flow Base Distribution - 2.1
PHP Version: Complexity:
Has patch:No

Description

If you are logged in into a secured FLOW3 project and delete the corresponding db user (for whatever reasons). There's an exception "Entity not found." raised instead - maybe caused by the invalid cookie data. It would be nicer, if the user would be redirected to the login page defined by "entryPoint:WebRedirect:uri:".

Bildschirmfoto_2011-09-16_um_19.19.04.png (123.7 kB) Martin Brüggemann, 2011-09-16 19:30

Bildschirmfoto_2013-01-19_um_12.43.01.png (76.5 kB) Martin Brüggemann, 2013-01-19 12:44

Bild_04.03.13_um_11.36.jpg (581.7 kB) Bastian Waidelich, 2013-03-04 11:37

Bild_04.03.13_um_11.36.jpg (581.7 kB) Bastian Waidelich, 2013-03-04 11:38

Related issues

related to TYPO3.Flow - Bug #37001: Catch Exception from inactivityTimeout Resolved 2012-05-09

Associated revisions

Revision 940f56d1
Added by Karsten Dambekalns over 2 years ago

[BUGFIX] Redirect instead of raising "Entity not found" exception

If you are logged in into a secured Flow project and delete the
corresponding db user (for whatever reasons) an exception "Entity not
found" is raised and not caught.

With this change the exception is caught and instead PolicyEnforcement
will throw an AuthenticationRequiredException, usually calling a
redirect to the configured login page.

Change-Id: I5ae0ae2c174314ceb21ae641cd4ef140ca82efb7
Resolves: #29907
Releases: master, 2.0

Revision 7b1564bf
Added by Karsten Dambekalns over 2 years ago

[BUGFIX] Redirect instead of raising "Entity not found" exception

If you are logged in into a secured Flow project and delete the
corresponding db user (for whatever reasons) an exception "Entity not
found" is raised and not caught.

With this change the exception is caught and instead PolicyEnforcement
will throw an AuthenticationRequiredException, usually calling a
redirect to the configured login page.

Change-Id: I5ae0ae2c174314ceb21ae641cd4ef140ca82efb7
Resolves: #29907
Releases: master, 2.0

History

#1 Updated by Karsten Dambekalns almost 4 years ago

  • Project changed from TYPO3 Flow Base Distribution to TYPO3.Flow

#2 Updated by Karsten Dambekalns almost 4 years ago

  • Category set to Security

#3 Updated by Karsten Dambekalns over 2 years ago

  • Status changed from New to Needs Feedback
  • Assigned To changed from Andreas Förthner to Karsten Dambekalns
  • Has patch set to No

Is this solved with #37001 maybe?

#4 Updated by Martin Brüggemann over 2 years ago

This is still a problem. If you are developing doctrine models and working with fixtures, you'll often have to reset the whole database. So please, please, please just redirect to the login-url and kill the session, if the user of the session does not exists in the DB anymore. THIS IS A SHOWSTOPPER FOR BEGINNERS! :(

#5 Updated by Karsten Dambekalns over 2 years ago

  • Status changed from Needs Feedback to Accepted

#6 Updated by Gerrit Code Review over 2 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/17683

#7 Updated by Karsten Dambekalns over 2 years ago

  • Target version set to 2.1

#8 Updated by Gerrit Code Review over 2 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/17683

#9 Updated by Karsten Dambekalns over 2 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#10 Updated by Bastian Waidelich over 2 years ago

Mh, I still (or again?) get this exception if I log in, reset the db, run migrations and refresh the page (see attachment)

#11 Updated by Bastian Waidelich over 2 years ago

Mh, I still (or again?) get this exception if I log in, reset the db, run migrations and refresh the page (see attachment)

#12 Updated by Bastian Waidelich over 2 years ago

Ok, in my case the code that ends up in this exception is:

 1protected function initializeAction() {
 2    $activeTokens = $this->securityContext->getAuthenticationTokens();
 3    foreach ($activeTokens as $token) {
 4        if ($token->isAuthenticated()) {
 5            $this->account = $token->getAccount();
 6            $this->party = $this->account->getParty();
 7        }
 8    }
 9}

When the account does not exist any more, $token->isAuthenticated() still returns TRUE if the token was loaded from the session.
$token->getAccount() is an instance of TYPO3\Flow\Persistence\Doctrine\Proxies\_CG__\TYPO3\Flow\Security\Account_ that throws the \Doctrine\ORM\EntityNotFoundException whenever it is accessed.
I worked around this as follows:

 1protected function initializeAction() {
 2    $activeTokens = $this->securityContext->getAuthenticationTokens();
 3    foreach ($activeTokens as $token) {
 4        if ($token->isAuthenticated()) {
 5            $this->account = $token->getAccount();
 6            try {
 7                $this->party = $this->account->getParty();
 8            } catch (\Doctrine\ORM\EntityNotFoundException $exception) {
 9                $token->setAuthenticationStatus(\TYPO3\Flow\Security\Authentication\TokenInterface::NO_CREDENTIALS_GIVEN);
10                $this->account = NULL;
11            }
12        }
13    }
14}

But this feels rather hacky..

#13 Updated by Gerrit Code Review over 2 years ago

  • Status changed from Needs Feedback to Under Review

Patch set 1 for branch 2.0 has been pushed to the review server.
It is available at https://review.typo3.org/19074

#14 Updated by Karsten Dambekalns over 2 years ago

  • Status changed from Under Review to Resolved

Also available in: Atom PDF