Bug #54592
Security policies are too strict
| Status: | Resolved | Start date: | 2013-12-25 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assigned To: | - | % Done: | 100% |
|
| Category: | - | |||
| Target version: | - |
Description
The following policy is far too strict:
TYPO3_Neos_AllControllerActions: 'within(TYPO3\Flow\Mvc\Controller\AbstractController) && method(public .*->.*Action())'
This secures all controllers in the full Flow application, which is an issue if you create an application in Flow and add Neos on top for managing a few content pages (or in whatever other usecase Flow packages would be used next to Neos).
I'm not sure if we want to secure all plugins of developers by default, or just want to secure all Neos controllers. But for now I would suggest only securing all controllers in the TYPO3\Neos\* namespace.
Associated revisions
[BUGFIX] Security policies in Neos are too strict
The current security policies fail with a "could not authenticate
any token" if an initializeAction is made public.
This change updates the policy so it does not match initialize
actions to prevent this error.
Change-Id: I167fc4effa0dba3e01599dbc114bc0d245aa17fc
Fixes: #54592
Releases: master, 1.0
Reviewed-on: https://review.typo3.org/26557
Reviewed-by: Andreas Förthner
Reviewed-by: Rens Admiraal
Tested-by: Rens Admiraal
Reviewed-by: Dominique Feyer
Tested-by: Dominique Feyer
Reviewed-by: Aske Ertmann
Reviewed-by: Christian Mueller
Tested-by: Christian Mueller
[BUGFIX] Security policies in Neos are too strict
The current security policies fail with a "could not authenticate
any token" if an initializeAction is made public.
This change updates the policy so it does not match initialize
actions to prevent this error.
Change-Id: I167fc4effa0dba3e01599dbc114bc0d245aa17fc
Fixes: #54592
Releases: master, 1.0
Reviewed-on: https://review.typo3.org/28001
Reviewed-by: Christian Mueller
Tested-by: Christian Mueller
Reviewed-by: Rens Admiraal
History
#1 Updated by Gerrit Code Review over 1 year ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.Neos has been pushed to the review server.
It is available at https://review.typo3.org/26557
#2 Updated by Rens Admiraal over 1 year ago
Some extra clarification for the issue...
This policy is so general that it matches all controllers wherever in your installation, is it Flow or Neos, doesn't matter. I now have a project in which we can't add Neos because of this policy. Even this Policy.yaml does not allow access to the controller, and throws a 'context contained no tokens that could be authenticated':
resources:
methods:
My_Vendor_Controller: 'method(My\Vendor\.*Controller->.*Action())'
acls:
Anonymous:
methods:
My_Vendor_Controller: GRANT
Everybody:
methods:
My_Vendor_Controller: GRANT
This Policy.yaml does work fine if I disable the TYPO3_Neos_AllControllerActions resource (tested by adding a DENY)
#3 Updated by Gerrit Code Review over 1 year ago
Patch set 2 for branch master of project Packages/TYPO3.Neos has been pushed to the review server.
It is available at https://review.typo3.org/26557
#4 Updated by Gerrit Code Review over 1 year ago
Patch set 1 for branch 1.0 of project Packages/TYPO3.Neos has been pushed to the review server.
It is available at https://review.typo3.org/28001
#5 Updated by Rens Admiraal over 1 year ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 9578321c3437e8e0d42a714d9631bc29a420f192.