Bug #31905

getInterceptedRequest is NULL but ACL matches correctly DENY

Added by Carsten Bleicker almost 8 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Should have
Assignee:
-
Category:
Security
Start date:
2011-11-18
Due date:
% Done:

100%

PHP Version:
5.3
Has patch:
No
Complexity:

Description

hi folks,
i had defined an policy for one method wich allows only access if a role exists.
if i call this method without any matching token i will be redirected to the defined WebRedirect.
so anything works fine. but the getInterceptedRequest() of the security contenxt is NULL. it only holds
an interceptRequest if the security matches a second time again. I think there is something wrong with the session?

f.e:
getInterceptedRequest() is NULL if:
  1. init very first visit of my site provides a form wich sends to the controller with policy.
  2. submitting this form
  3. i will get redirected to login
  4. getInterceptedRequest() is NULL
getInterceptedRequest() is filled correctly if:
  1. init very first visit of my site provides a form wich sends to the controller with policy.
  2. submitting this form
  3. i will get redirected to login
  4. getInterceptedRequest() is NULL
  5. going back
  6. submitting again
  7. getInterceptedRequest() is filled correctly

any ideas?


Related issues

Related to TYPO3.Flow - Bug #31931: AuthenticationController is not working anymore Resolved 2011-11-18
Duplicated by TYPO3.Flow - Bug #33311: AuthenticationProviderManager::isAuthenticated does not work in authentication request Resolved 2012-01-19

Associated revisions

Revision 4756966d (diff)
Added by Johannes K over 7 years ago

[BUGFIX] Authentication: context now reliably stores the intercepted request

On authentication the original intercepted request was not stored,
when there was no current session. The session now gets automatically
initialized via @FLOW3\Session(autoStart=true).

Change-Id: Icc3bc6d1338061459945e97bb1bc8e8981cfc18c
Fixes: #31905
Releases: 1.1

Revision 900a207a (diff)
Added by Robert Lemke over 7 years ago

[TASK] Improve security isolation in functional tests

This change makes sure that also the intercepted request
(if any) is cleared on clearContext() and renames the
authentication provider configured for the Testing
context from "DefaultProvider" to "TestingProvider".

Change-Id: Ib8553f5453f5d2c5b63ffc16f4382cfb80da686a
Related: #31905
Releases: 1.1

History

#1 Updated by Carsten Bleicker almost 8 years ago

On first Init there is no cookie named FLOW3.

so the Bootstrap->initializeSession() tries to resume the session.
But because of missing $_COOKIE[session_name()] its not resumed.
This results the getInterceptedRequest() with NULL.

public function resume() {
if ($this->started === FALSE && isset($_COOKIE[session_name()])) {
$this->startOrResume();
}
}

appendix:
this wording of methods confusing me a little bit.
resume calls a startOrResume?
if i call a resume i expect to resume and not start something.
why does the bootstrap not call startOrResume and this one decides between start or resume?
or do i expect this wrong?

#2 Updated by Karsten Dambekalns almost 8 years ago

  • Target version changed from 1.0.1 to 1.0.2

#3 Updated by Karsten Dambekalns almost 8 years ago

  • Target version changed from 1.0.2 to 1.0.3

#4 Updated by Gerrit Code Review almost 8 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/7635

#5 Updated by Gerrit Code Review almost 8 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/7635

#6 Updated by Karsten Dambekalns over 7 years ago

  • Target version changed from 1.0.3 to 1.0.4

#7 Updated by Karsten Dambekalns over 7 years ago

  • Target version changed from 1.0.4 to 1.0.5

#8 Updated by Gerrit Code Review over 7 years ago

Patch set 3 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/7635

#9 Updated by Gerrit Code Review over 7 years ago

Patch set 4 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/7635

#10 Updated by Johannes K over 7 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF