Bug #35720
Access denied Exception for widget links to actions with a policy
| Status: | New | Start date: | 2012-04-05 | |
|---|---|---|---|---|
| Priority: | Must have | Due date: | ||
| Assigned To: | - | % Done: | 0% |
|
| Category: | Security | |||
| Target version: | - | |||
| PHP Version: | Complexity: | |||
| Has patch: | No | Affected Flow version: | Git master |
Description
In TYPO3\FLOW3\Security\Aspect\CsrfProtectionAspect::addCsrfTokenToUri() the detection for the target classname fails, if a link is generated via <f:link.widget />, so the link is missing the __csrfToken and you get an AccessDeniedException:
#1216919280: You are not allowed to perform this action. (More information)
TYPO3\FLOW3\Security\Exception\AccessDeniedException thrown in file
.../Data/Temporary/Development/Cache/Code/FLOW3_Object_Classes/TYPO3_FLOW3_Security_Authorization_Interceptor_AccessDeny_Original.php in line 30.
Example to reproduce:
Use the paginate widget for an action with a policy
Related issues
History
#1 Updated by Johannes K over 3 years ago
The problem is that the CsrfProtectionAspect is woven into UriBuilder::build() (via "method(TYPO3\FLOW3\MVC\Web\Routing\UriBuilder->build()"), but the arguments to determine the target Controller/Action are not yet merged into $arguments, so the CsrfProtectionAspect has no way to check the action.
Possible solution: Use the following code and weave the CsrfProtectionAspect into UriBuilder::doBuild(), but maybe you guys have a better solution ;)
class UriBuilder {
...
/**
* Builds the URI
*
* @param array $arguments optional URI arguments. Will be merged with $this->arguments with precedence to $arguments
* @return string The URI
* @api
*/
public function build(array $arguments = array()) {
$arguments = \TYPO3\FLOW3\Utility\Arrays::arrayMergeRecursiveOverrule($this->arguments, $arguments);
$this->mergeArgumentsWithRequestArguments($arguments);
$this->doBuild($arguments);
}
protected function doBuild(array $arguments = array()) {
// rest of the build function
}
...
}