Feature #3620

Implement a request stack

Added by Andreas Förthner over 11 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Should have
Category:
MVC
Start date:
2010-03-08
Due date:
% Done:

10%

Estimated time:
14.00 h
PHP Version:
Has patch:
Complexity:

Description

Intercepted requests (e.g. because of a security exception) should be pushed on the stack. After resolving the problem the request should be popped from the stack again and restarted or resumed.

#1

Updated by Robert Lemke about 11 years ago

  • Status changed from New to Accepted
  • Assignee changed from Andreas Förthner to Robert Lemke
#2

Updated by Robert Lemke about 11 years ago

  • Target version set to 1.0 alpha 7
#3

Updated by Robert Lemke about 11 years ago

  • Target version changed from 1.0 alpha 7 to 1.0 alpha 8
#4

Updated by Robert Lemke almost 11 years ago

  • Start date changed from 2009-06-08 to 2010-03-08
  • % Done changed from 0 to 10
  • Estimated time set to 14.00 h
#5

Updated by Karsten Dambekalns almost 11 years ago

  • Target version changed from 1.0 alpha 8 to 1.0 alpha 9
#6

Updated by Robert Lemke over 10 years ago

  • Target version deleted (1.0 alpha 9)
#7

Updated by Andreas Förthner about 10 years ago

  • Target version set to 1.0 beta 1
#8

Updated by Bastian Waidelich about 10 years ago

FLOW3 Request Stack
Idea: reconstitute original request after login/validation errors
- > also a way to implement CSRF security w/o hashes on every link/form

Evaluate possibility to make request stack optional:

  • if Request Stack is disabled, current request could be attached to links/forms in a serialized form (similar to the hidden referrer fields in Fluid forms now)

If an error occurs (validation error, security exception...)

  • catch exception/error
  • push current parent request on the stack $request->pushToStack(); or $requestStack->pushRequest($request)
  • do something else - > e.g. call authentication entry point (login page)
  • in the action controller: $this->replayLastRequest();
  • (future feature): if session based request stack is inactive (by configuration) the current request could hold the last request as argument (__referrer...)

foo?@package=MyMainPackage&f3_MyPlugin[@package]=MySubPackage

<input type="hidden" name="__referrer[package]" value="MyMainPackge" />
<input type="hidden" name="f3_MyPlugin[__referrer][package]" value="MySubPackge" />

Questions:

  • Should every request be pushed to the stack by default (only the last request)?
  • Can hidden referrer fields really be replaced by the stack?
  • What about multiple forms on one page? - > should work because we're only interested in the parent request

session based:

login link:

<a href="secure">link</a>
- > push request to stack
- > display login form
- > resume request

form validation:

- > push request to stack (form view helper? no, should happen by default)
<input type="text" name="name" />
- > // validation errors
- > resume request

stateless (without session):

<a href="secure?__referrer=xyz">link</a>
- > display login form - add hidden fields for referrer
- > build request from referrer & arguments from current request

<input type="text" name="name" />
<input type="hidden" name="__referrer.." value="xyz" />
- > // validation errors
- > build request from referrer & arguments from current request

"Normal" login process

- Request1 (show link to protected page)
- RequestStack: Request1

- Request2 (click on link)
- SecurityException - > redirect to login form (Request3)
- RequestStack: Request2, Request3

- Request4 (login form submit)
- Login accepted - > redirect to original Request (Request2)
- RequestStack: Request4

Login process with validation errors:

- Request1 (show link to protected page)
- RequestStack: Request1

- Request2 (click on link)
- SecurityException - > redirect to login form (Request3)
- RequestStack: Request2, Request3

- Request4 (login form submit)
- Login validation error - > redirect to login form with Request3 & arguments from Request4
- RequestStack: Request2, Request3

#9

Updated by Sebastian Kurfuerst over 9 years ago

  • Target version changed from 1.0 beta 1 to 1.0 beta 2
#10

Updated by Sebastian Kurfuerst over 9 years ago

  • Status changed from Accepted to Needs Feedback
  • Assignee changed from Robert Lemke to Andreas Förthner

Hey Andi,

I doubt this is still needed. Didn't we talk about it and came to the conclusion to drop the request stack?

Greets,
Sebastian

#11

Updated by Andreas Förthner over 9 years ago

  • Status changed from Needs Feedback to Closed

The request stack feature was mainly intended to be used for intercepted requests due to missing authentication. However, this has been now done in a specific implementation within the security framework and the generic login controller. I.e. for now we don't need a generic request stack anymore...

Also available in: Atom PDF