Bug #12917

Access denied by using the HashService Setter injection

Added by Julian Kleinhans almost 11 years ago. Updated about 10 years ago.

Status:
Rejected
Priority:
Must have
Assignee:
Category:
Security
Start date:
2011-02-09
Due date:
% Done:

0%

Estimated time:
PHP Version:
Has patch:
Complexity:

Description

[See https://review.typo3.org/#change,699]

If i use the HashService Setter injection in a protected area as a loggedin user i became an "Access denied"

this is my Policy.yaml

resources:
  methods:
    F3_Tutorials_RestrictedAdminArea: 'class(F3\Tutorials\Controller\Admin\.*)'
roles:
  Administrator: []
acls:
  Administrator:
    methods:
      F3_Tutorials_RestrictedAdminArea: GRANT

in the Controller\Admin i used a setter injection for the HashService.

public function injectHashService(\F3\FLOW3\Security\Cryptography\HashService $hashService) {
  $this->hashService = $hashService;
}

and with this method in my code i become the "Access denied" page.. my logs:

Successfully re-authenticated tokens for account "test1" [logged in F3\FLOW3\Security\Aspect\LoggingAspect::logManagerAuthenticate()]

Access denied (0 denied, 0 granted, 1 abstained) to method F3\Tutorials\Controller\Admin\AccountController::injectHashService(). [logged in F3\FLOW3\Security\Aspect\LoggingAspect::logJoinPointAccessDecisions()]

if i used the property injection


/**
* @inject
* @var \F3\FLOW3\Security\Cryptography\HashService
*/
protected $hashService;

it works without problems.. only with the setter injection There is NO other ACL in a policy.yaml

Also available in: Atom PDF