Bug #35720

Access denied Exception for widget links to actions with a policy

Added by Johannes K over 9 years ago. Updated about 9 years ago.

Status:
New
Priority:
Must have
Assignee:
-
Category:
Security
Target version:
-
Start date:
2012-04-05
Due date:
% Done:

0%

Estimated time:
PHP Version:
Has patch:
No
Complexity:

Description

In TYPO3\FLOW3\Security\Aspect\CsrfProtectionAspect::addCsrfTokenToUri() the detection for the target classname fails, if a link is generated via <f:link.widget />, so the link is missing the __csrfToken and you get an AccessDeniedException:

#1216919280: You are not allowed to perform this action. (More information)

TYPO3\FLOW3\Security\Exception\AccessDeniedException thrown in file
.../Data/Temporary/Development/Cache/Code/FLOW3_Object_Classes/TYPO3_FLOW3_Security_Authorization_Interceptor_AccessDeny_Original.php in line 30.

Example to reproduce:
Use the paginate widget for an action with a policy


Related issues

Is duplicate of TYPO3.Flow - Bug #27798: CSRF protection not working for forms in a pluginAccepted2011-07-01

Actions

Also available in: Atom PDF