Task #45253

Throw exception in PointcutMethodNameFilter if given method's argument does not match the actual method signature

Added by Adrian Föder almost 9 years ago. Updated almost 9 years ago.

Status:
Accepted
Priority:
Must have
Category:
Security
Target version:
-
Start date:
2013-02-07
Due date:
% Done:

0%

Estimated time:
Sprint:
PHP Version:
Has patch:
No
Complexity:

Description

Consider a TYPO3.Comment CommentRepository. I have set the following security resource:

[...]
'method(TYPO3\Comments\Domain\Repository\CommentRepository->remove(comment.author === current.securityContext.party))'

The CommentRepository itself does not carry an own remove() method, it inherits from TYPO3\Flow\Persistence\Repository as common.

In that mentioned case, NO proxy method is generated, hence no security applied.

When leaving the runtime constraint away,

[...]
'method(TYPO3\Comments\Domain\Repository\CommentRepository->remove())'

and still having not a concrete remove() method, but the inherited, it works, a proxy method is generated.

Third example: putting the runtime constraint back in,

[...]
'method(TYPO3\Comments\Domain\Repository\CommentRepository->remove(comment.author === current.securityContext.party))'

and putting a "dummy" remove() method into the concrete CommentRepository itself,
/**
 * @param \TYPO3\Comments\Domain\Model\Comment $comment
 */
public function remove($comment) {
    parent::remove($comment);
}

it again works, too!

If you want to test and fiddle, I prepared a repository at https://github.com/afoeder/TYPO3.Comments, just see the (only) Functional Test there and the Policy.yaml configuration. Maybe you want to checkout HEAD^1 there.

Also available in: Atom PDF