Bug #46036
AuthenticationRequired should not be thrown in PolicyEnforcement if resource is available to Everybody
Status: | Resolved | Start date: | 2013-03-05 | |
---|---|---|---|---|
Priority: | Should have | Due date: | ||
Assigned To: | Christian Müller | % Done: | 100% |
|
Category: | Security | |||
Target version: | TYPO3 Flow Base Distribution - 2.0.1 | |||
PHP Version: | Complexity: | |||
Has patch: | No | Affected Flow version: | (any) |
Description
In case you define a (method) resource (in my case with runtime argument condition) and you GRANT access to this resource for the "Everybody" role you will still end up with an AuthenticationRequiredException (or if defined a redirect to the WebRedirect) because the AuthenticationManager will throw that on not logged in BEFORE the AccessDecisionManager checks the actual permissions for the resource.
To fix this we need to temporarily catch the exception when there were no tokens to be authenticated and check permissions on the AccessDecisionManager. If this then throws an AccessDeniedException we know the resource was inaccessible for not logged in user (at least with the current runtime evaluation) and we should probably trigger a redirect to the WebRedirect. In case the AccessDecisionManager granted access to the resource we can proceed as obviously the resource was meant to be available without login.
Associated revisions
[BUGFIX] Allow access to resources GRANTED to "Everybody"
PolicyEnforcement does no longer throw an AccessDenied exception
if not logged in before checking the actual ACLs for the
resource in question. This allows creating resources and
granting access to them for "Everybody" which was not possible
before.
Fixes: #46036
Releases: master, 2.0
Change-Id: I6aa50f69ef3284e59933c89a9f8bfee08ac1b800
[BUGFIX] Allow access to resources GRANTED to "Everybody"
PolicyEnforcement does no longer throw an AccessDenied exception
if not logged in before checking the actual ACLs for the
resource in question. This allows creating resources and
granting access to them for "Everybody" which was not possible
before.
Fixes: #46036
Releases: master, 2.0
Change-Id: I6aa50f69ef3284e59933c89a9f8bfee08ac1b800
History
#1 Updated by Gerrit Code Review over 2 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/18695
#2 Updated by Gerrit Code Review over 2 years ago
Patch set 2 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/18695
#3 Updated by Gerrit Code Review over 2 years ago
Patch set 3 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/18695
#4 Updated by Gerrit Code Review over 2 years ago
Patch set 4 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/18695
#5 Updated by Gerrit Code Review over 2 years ago
Patch set 5 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/18695
#6 Updated by Gerrit Code Review over 2 years ago
Patch set 6 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/18695
#7 Updated by Gerrit Code Review about 2 years ago
Patch set 7 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/18695
#8 Updated by Karsten Dambekalns almost 2 years ago
- Target version changed from 2.0 to 2.0.1
#9 Updated by Gerrit Code Review almost 2 years ago
Patch set 1 for branch 2.0 has been pushed to the review server.
It is available at https://review.typo3.org/24240
#10 Updated by Christian Müller almost 2 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset b6768ccfb736ef8b536f420cd2d8068edc44267b.