Bug #31905
getInterceptedRequest is NULL but ACL matches correctly DENY
| Status: | Resolved | Start date: | 2011-11-18 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assigned To: | - | % Done: | 100% |
|
| Category: | Security | |||
| Target version: | TYPO3 Flow Base Distribution - 1.0.5 | |||
| PHP Version: | 5.3 | Complexity: | ||
| Has patch: | No | Affected Flow version: | FLOW3 1.0.0 |
Description
hi folks,
i had defined an policy for one method wich allows only access if a role exists.
if i call this method without any matching token i will be redirected to the defined WebRedirect.
so anything works fine. but the getInterceptedRequest() of the security contenxt is NULL. it only holds
an interceptRequest if the security matches a second time again. I think there is something wrong with the session?
getInterceptedRequest() is NULL if:
- init very first visit of my site provides a form wich sends to the controller with policy.
- submitting this form
- i will get redirected to login
- getInterceptedRequest() is NULL
- init very first visit of my site provides a form wich sends to the controller with policy.
- submitting this form
- i will get redirected to login
- getInterceptedRequest() is NULL
- going back
- submitting again
- getInterceptedRequest() is filled correctly
any ideas?
Related issues
Associated revisions
[BUGFIX] Authentication: context now reliably stores the intercepted request
On authentication the original intercepted request was not stored,
when there was no current session. The session now gets automatically
initialized via @FLOW3\Session(autoStart=true).
Change-Id: Icc3bc6d1338061459945e97bb1bc8e8981cfc18c
Fixes: #31905
Releases: 1.1
[TASK] Improve security isolation in functional tests
This change makes sure that also the intercepted request
(if any) is cleared on clearContext() and renames the
authentication provider configured for the Testing
context from "DefaultProvider" to "TestingProvider".
Change-Id: Ib8553f5453f5d2c5b63ffc16f4382cfb80da686a
Related: #31905
Releases: 1.1
History
#1 Updated by Carsten Bleicker over 3 years ago
On first Init there is no cookie named FLOW3.
so the Bootstrap->initializeSession() tries to resume the session.
But because of missing $_COOKIE[session_name()] its not resumed.
This results the getInterceptedRequest() with NULL.
public function resume() {
if ($this->started === FALSE && isset($_COOKIE[session_name()])) {
$this->startOrResume();
}
}
appendix:
this wording of methods confusing me a little bit.
resume calls a startOrResume?
if i call a resume i expect to resume and not start something.
why does the bootstrap not call startOrResume and this one decides between start or resume?
or do i expect this wrong?
#2 Updated by Karsten Dambekalns over 3 years ago
- Target version changed from 1.0.1 to 1.0.2
#3 Updated by Karsten Dambekalns over 3 years ago
- Target version changed from 1.0.2 to 1.0.3
#4 Updated by Gerrit Code Review over 3 years ago
- Status changed from New to Under Review
Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/7635
#5 Updated by Gerrit Code Review over 3 years ago
Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/7635
#6 Updated by Karsten Dambekalns over 3 years ago
- Target version changed from 1.0.3 to 1.0.4
#7 Updated by Karsten Dambekalns over 3 years ago
- Target version changed from 1.0.4 to 1.0.5
#8 Updated by Gerrit Code Review about 3 years ago
Patch set 3 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/7635
#9 Updated by Gerrit Code Review about 3 years ago
Patch set 4 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/7635
#10 Updated by Johannes K about 3 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 4756966d29055e09150648fd85f78f87204c6026.