Feature #29907

Redirect to /login instead of raising a "Entity not found." exception if the userdata of an active session has been deleted

Added by Martin Brüggemann about 9 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
Must have
Category:
Security
Start date:
2011-09-16
Due date:
% Done:

100%

Estimated time:
PHP Version:
Has patch:
No
Complexity:

Description

If you are logged in into a secured FLOW3 project and delete the corresponding db user (for whatever reasons). There's an exception "Entity not found." raised instead - maybe caused by the invalid cookie data. It would be nicer, if the user would be redirected to the login page defined by "entryPoint:WebRedirect:uri:".


Files

Bildschirmfoto_2011-09-16_um_19.19.04.png (124 KB) Bildschirmfoto_2011-09-16_um_19.19.04.png Martin Brüggemann, 2011-09-16 19:30
Bildschirmfoto_2013-01-19_um_12.43.01.png (76.5 KB) Bildschirmfoto_2013-01-19_um_12.43.01.png Martin Brüggemann, 2013-01-19 12:44
Bild_04.03.13_um_11.36.jpg (582 KB) Bild_04.03.13_um_11.36.jpg Bastian Waidelich, 2013-03-04 11:37
Bild_04.03.13_um_11.36.jpg (582 KB) Bild_04.03.13_um_11.36.jpg Bastian Waidelich, 2013-03-04 11:38

Related issues

Related to TYPO3.Flow - Bug #37001: Catch Exception from inactivityTimeoutResolvedKarsten Dambekalns2012-05-09

Actions
#1

Updated by Karsten Dambekalns about 9 years ago

  • Project changed from TYPO3 Flow Base Distribution to TYPO3.Flow
#2

Updated by Karsten Dambekalns about 9 years ago

  • Category set to Security
#3

Updated by Karsten Dambekalns almost 8 years ago

  • Status changed from New to Needs Feedback
  • Assignee changed from Andreas Förthner to Karsten Dambekalns
  • Has patch set to No

Is this solved with #37001 maybe?

#4

Updated by Martin Brüggemann almost 8 years ago

This is still a problem. If you are developing doctrine models and working with fixtures, you'll often have to reset the whole database. So please, please, please just redirect to the login-url and kill the session, if the user of the session does not exists in the DB anymore. THIS IS A SHOWSTOPPER FOR BEGINNERS! :(

#5

Updated by Karsten Dambekalns almost 8 years ago

  • Status changed from Needs Feedback to Accepted
#6

Updated by Gerrit Code Review almost 8 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/17683

#7

Updated by Karsten Dambekalns almost 8 years ago

  • Target version set to 2.1
#8

Updated by Gerrit Code Review almost 8 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/17683

#9

Updated by Karsten Dambekalns almost 8 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#10

Updated by Bastian Waidelich over 7 years ago

Mh, I still (or again?) get this exception if I log in, reset the db, run migrations and refresh the page (see attachment)

#11

Updated by Bastian Waidelich over 7 years ago

Mh, I still (or again?) get this exception if I log in, reset the db, run migrations and refresh the page (see attachment)

#12

Updated by Bastian Waidelich over 7 years ago

Ok, in my case the code that ends up in this exception is:

protected function initializeAction() {
    $activeTokens = $this->securityContext->getAuthenticationTokens();
    foreach ($activeTokens as $token) {
        if ($token->isAuthenticated()) {
            $this->account = $token->getAccount();
            $this->party = $this->account->getParty();
        }
    }
}

When the account does not exist any more, $token->isAuthenticated() still returns TRUE if the token was loaded from the session.
$token->getAccount() is an instance of TYPO3\Flow\Persistence\Doctrine\Proxies\_CG__\TYPO3\Flow\Security\Account_ that throws the \Doctrine\ORM\EntityNotFoundException whenever it is accessed.
I worked around this as follows:

protected function initializeAction() {
    $activeTokens = $this->securityContext->getAuthenticationTokens();
    foreach ($activeTokens as $token) {
        if ($token->isAuthenticated()) {
            $this->account = $token->getAccount();
            try {
                $this->party = $this->account->getParty();
            } catch (\Doctrine\ORM\EntityNotFoundException $exception) {
                $token->setAuthenticationStatus(\TYPO3\Flow\Security\Authentication\TokenInterface::NO_CREDENTIALS_GIVEN);
                $this->account = NULL;
            }
        }
    }
}

But this feels rather hacky..

#13

Updated by Gerrit Code Review over 7 years ago

  • Status changed from Needs Feedback to Under Review

Patch set 1 for branch 2.0 has been pushed to the review server.
It is available at https://review.typo3.org/19074

#14

Updated by Karsten Dambekalns over 7 years ago

  • Status changed from Under Review to Resolved

Also available in: Atom PDF