Bug #46036

AuthenticationRequired should not be thrown in PolicyEnforcement if resource is available to Everybody

Added by Christian Müller over 8 years ago. Updated almost 8 years ago.

Status:
Resolved
Priority:
Should have
Category:
Security
Start date:
2013-03-05
Due date:
% Done:

100%

Estimated time:
PHP Version:
Has patch:
No
Complexity:

Description

In case you define a (method) resource (in my case with runtime argument condition) and you GRANT access to this resource for the "Everybody" role you will still end up with an AuthenticationRequiredException (or if defined a redirect to the WebRedirect) because the AuthenticationManager will throw that on not logged in BEFORE the AccessDecisionManager checks the actual permissions for the resource.

To fix this we need to temporarily catch the exception when there were no tokens to be authenticated and check permissions on the AccessDecisionManager. If this then throws an AccessDeniedException we know the resource was inaccessible for not logged in user (at least with the current runtime evaluation) and we should probably trigger a redirect to the WebRedirect. In case the AccessDecisionManager granted access to the resource we can proceed as obviously the resource was meant to be available without login.

#1

Updated by Gerrit Code Review over 8 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/18695

#2

Updated by Gerrit Code Review over 8 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/18695

#3

Updated by Gerrit Code Review over 8 years ago

Patch set 3 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/18695

#4

Updated by Gerrit Code Review over 8 years ago

Patch set 4 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/18695

#5

Updated by Gerrit Code Review over 8 years ago

Patch set 5 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/18695

#6

Updated by Gerrit Code Review over 8 years ago

Patch set 6 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/18695

#7

Updated by Gerrit Code Review over 8 years ago

Patch set 7 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/18695

#8

Updated by Karsten Dambekalns about 8 years ago

  • Target version changed from 2.0 to 2.0.1
#9

Updated by Gerrit Code Review almost 8 years ago

Patch set 1 for branch 2.0 has been pushed to the review server.
It is available at https://review.typo3.org/24240

#10

Updated by Christian Müller almost 8 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF