Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Explain the security components #48

Open
Toflar opened this issue Aug 23, 2019 · 13 comments
Open

Explain the security components #48

Toflar opened this issue Aug 23, 2019 · 13 comments

Comments

@Toflar
Copy link
Member

Toflar commented Aug 23, 2019

As we have additional helper services such as the TokenChecker, I think we should have a chapter about when to use which service to fetch the front end member or back end user, to check if the FE preview is enabled etc.

@fritzmg
Copy link
Contributor

fritzmg commented Sep 29, 2019

I have added a Services reference article in 89850dd, which includes the TokenChecker service, as well as the security.helper service from Symfony. The descriptions are rather minimal at the moment. If the security components require their own fully fledged article, we can still add one under Framework, in addition to the reference.

@ameotoko
Copy link
Contributor

$tokenChecker->isPreviewMode() method, described there, only returns true if you in preview mode AND have "show unpublished" enabled. So you can't rely upon it if you just want to check whether you are in preview mode.

@fritzmg
Copy link
Contributor

fritzmg commented Jun 21, 2020

The method isn't really described in 89850dd (if that is what you mean). It is just mentioned, that it is available. The description within the code says the following:

Tells whether the front end preview can show unpublished fragments.

@ameotoko
Copy link
Contributor

Tells whether the front end preview can show unpublished fragments.

Yes, but 89850dd and Toflar's post give an impression that this is the method used to check whether or not we are in FE preview mode - which is not correct.

@Toflar
Copy link
Member Author

Toflar commented Jun 22, 2020

/cc @aschempp

@aschempp
Copy link
Member

aschempp commented Jun 22, 2020

There might be a confusion. Preview mode historically means being logged in to the back end and enabling show unpublished. It is not a representation whether one is visiting the front end through preview.php.

Regarding the services:

  • ScopeMatcher is related to routing, it tells which scope the current route is on. Because firewalls listen to scopes, it (most likely) also tells which firewall is active. But it does not tell about authentication and authorization.
  • TokenChecker can perform some checks on the firewall token, event if the requested firewall might not be active (e.g. check the back end firewall in the front end). It only checks authentication (user is logged in) but not authorization (what permissions are available).
  • SecurityHelper handles authentication (getUser) and authorization (isGranted) on the current firewall.

There is no way to check authorizations across firewalls, e.g. check if a back end user is allowed to access tl_page from the front end.

@ameotoko
Copy link
Contributor

I want to make it clear - I don't have any questions regarding the method itself (although its name is a bit misleading). This is only about the docs. The docs say there's a service to check whether the token for the preview mode is present, which is not exactly what that service does.

@fritzmg
Copy link
Contributor

fritzmg commented Jun 22, 2020

@ameotoko That's what @aschempp is saying. The preview mode is not the same as the preview script. And the front end preview token is only available, if you enabled show unpublished. If you are using the default preview.php, but without having show unpublished enabled, the FrontendPreviewToken will not be present.

@ameotoko
Copy link
Contributor

Well, I just tested it, and it's not true.
https://github.com/contao/core-bundle/blob/master/src/Security/Authentication/Token/TokenChecker.php#L142

        return $token instanceof FrontendPreviewToken && $token->showUnpublished();

$token is an instance of FrontendPreviewToken every time you access FE through preview.php, regardless of show unpublished setting.

@fritzmg
Copy link
Contributor

fritzmg commented Jun 22, 2020

Interesting, in my case it was alway null. Anyways, we can change the wording:

-It allows you to check, whether a token for a front end user, back end user or the preview mode is present.
+It allows you to check whether a token for a front end user or back end user is present or whether the preview mode is enabled within the front end preview token.

Btw. you can quickly make pull requests yourself by clicking on the edit this page link in the top right corner of the docs ;)

@ameotoko
Copy link
Contributor

ameotoko commented Jun 22, 2020

So, the Preview mode is meant to be this show unpublished setting? I always thought Preview mode is the mode accessed through preview.php, which can do two independent things:

  • preview unpublished changes
  • impersonate frontend user

Btw. you can quickly make pull requests yourself simply by clicking on the edit this page link in the top right corner of the docs ;)

If I knew this thread will grow so long, I would just do a PR instead :)

@fritzmg
Copy link
Contributor

fritzmg commented Jun 22, 2020

So, the Preview mode is meant to be this show unpublished setting?

Yes, see aschempp's comment:

Preview mode historically means being logged in to the back end and enabling show unpublished.

--

I always thought Preview mode is the mode accessed through preview.php, which can do two independent things:

The FrontendPreviewToken can impersonate back end users, which is used by the BackendPreviewController (/contao/preview route), which enforces that it is accessed through the configured preview entry point.

@aschempp
Copy link
Member

aschempp commented Oct 9, 2020

The FrontendPreviewToken is set if you click on the "show in frontend" link in the backend. If you manually enter the preview.php url, the token will not be set. (as far as I know)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants