Method security is also evaluating abstract classes
I want to secure all controllers in my vendor namespace except controllers named LoginController, for that I use the following pointcut expression:
This did not work at all (webredirect forwards me to the LoginController, and as access is denied on the LoginController chrome stops with a TOO_MANY_REDIRECTS).
Some more debugging learned me that the security framework denied access to the abstract class AbstractController (from which the LoginController extends). Implementing all methods from the abstract class in the LoginController does not solve this. Only extending from a class not matching the pattern (\TYPO3\FLOW3\Mvc\Controller\ActionController) solves the issue and has the expected result.
Imagine the more general pattern: .*\Controller\.*(?<!Login)Controller->.*Action(), this would even match the \TYPO3\FLOW3\Mvc\Controller\ActionController and thus block all access.
Question is: Shouldn't the Security Framework only evaluate the actual classnames being used?
Updated by Rens Admiraal over 8 years ago
The parent is also matched... it seems like all classes a class inherits from are also taken into account which would be incorrect.
I would expect it would only affect the class with the exact name matching the pattern, and should not take into account any inheritance whatsoever