Bug #35720
Access denied Exception for widget links to actions with a policy
Status: | New | Start date: | 2012-04-05 | |
---|---|---|---|---|
Priority: | Must have | Due date: | ||
Assigned To: | - | % Done: | 0% |
|
Category: | Security | |||
Target version: | - | |||
PHP Version: | Complexity: | |||
Has patch: | No | Affected Flow version: | Git master |
Description
In TYPO3\FLOW3\Security\Aspect\CsrfProtectionAspect::addCsrfTokenToUri() the detection for the target classname fails, if a link is generated via <f:link.widget />, so the link is missing the __csrfToken and you get an AccessDeniedException:
#1216919280: You are not allowed to perform this action. (More information)
TYPO3\FLOW3\Security\Exception\AccessDeniedException thrown in file
.../Data/Temporary/Development/Cache/Code/FLOW3_Object_Classes/TYPO3_FLOW3_Security_Authorization_Interceptor_AccessDeny_Original.php in line 30.
Example to reproduce:
Use the paginate widget for an action with a policy
Related issues
History
#1 Updated by Johannes K over 3 years ago
The problem is that the CsrfProtectionAspect is woven into UriBuilder::build() (via "method(TYPO3\FLOW3\MVC\Web\Routing\UriBuilder->build()"), but the arguments to determine the target Controller/Action are not yet merged into $arguments, so the CsrfProtectionAspect has no way to check the action.
Possible solution: Use the following code and weave the CsrfProtectionAspect into UriBuilder::doBuild(), but maybe you guys have a better solution ;)
class UriBuilder { ... /** * Builds the URI * * @param array $arguments optional URI arguments. Will be merged with $this->arguments with precedence to $arguments * @return string The URI * @api */ public function build(array $arguments = array()) { $arguments = \TYPO3\FLOW3\Utility\Arrays::arrayMergeRecursiveOverrule($this->arguments, $arguments); $this->mergeArgumentsWithRequestArguments($arguments); $this->doBuild($arguments); } protected function doBuild(array $arguments = array()) { // rest of the build function } ... }