Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DX] Suggest a hint to any auth-check #4304

Closed
wants to merge 1 commit into from
Closed

[DX] Suggest a hint to any auth-check #4304

wants to merge 1 commit into from

Conversation

larsborn
Copy link
Contributor

@larsborn larsborn commented Oct 8, 2014

Suggest a hint that you need a minimum of auth-check to let the voters vote.

@larsborn
Suggest a hint to any auth-check
f35b565 
Suggest a hint that you need a minimum of auth-check to let the voters vote.
@stof
Copy link
Member

stof commented Oct 8, 2014

I don't understand what you mean

@wouterj
Copy link
Member

wouterj commented Oct 8, 2014

Voters are used when using ->isGranted. When that's called depends on your code if I'm correct.

The security system in general only works when the page is under a firewall, it doesn't depend on the access rules.

@DavidBadura
Copy link

If you have only following security configuration without access_control and you don't execute isGranted somewhere (controller / twig) then the voters will not execute. To define a firewall is not enough.

security:
    providers:
        in_memory:
            memory: ~

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        default:
            pattern: ^/
            anonymous: true

    access_decision_manager:
        strategy: unanimous

@stof
Copy link
Member

stof commented Oct 9, 2014

Of course they won't execute. Defining a firewall allows you to authenticate the user. Voters are not involved in this process at all. They are the authorization system. they are what isGranted calls to make a decision. If you don't ask any decision, there is no reason to call them (and there is no way to call them, as you would not know which argument to pass them)

@larsborn
Copy link
Contributor Author

If you implement the IP Blacklist example in a freshly created Symfony app, it doesn't work, since you don't ask for any permissions (as stof pointed out). This is exactly the reason, I suggested this minimal authorization check for IS_AUTHENTICATED_ANONYMOUSLY. If you think, that it bloats this recipe, I could also suggest a small hint instead. Either way I think, that at least a hint is necessary.

@larsborn
Copy link
Contributor Author

push

@wouterj
Copy link
Member

wouterj commented Oct 31, 2014

I believe the complete article is wrong. The voter is part of the authorization process, while the article suggests it's part of the authentication process. I think a backlist needs to be implemented by an AuthenticationListener. Security experts, please correct me if I'm wrong ;)

@larsborn larsborn changed the title Suggest a hint to any auth-check [DX] Suggest a hint to any auth-check Nov 28, 2014
@larsborn
Copy link
Contributor Author

does renaming even help, if I want to get noticed by dx.symfony.com? :)

@stof
Copy link
Member

stof commented Dec 6, 2014

Currently, dx.symfony.com only checks labelled issues. It does not yet check issue titles.

@larsborn
Copy link
Contributor Author

larsborn commented Dec 6, 2014

then Ryan might have talked about a future version of dx.symfony.com on the SymfonyCon Madrid.

@stof
Copy link
Member

stof commented Dec 16, 2014

Well, it is planned. There is a TODO in the code saying it is not implemented yet

@larsborn
Copy link
Contributor Author

but am I right, when I say, that I cannot add labels? :)

@xabbuh
Copy link
Member

xabbuh commented Dec 16, 2014

@larsborn Yes, only repository collaborators can add or remove labels.

xabbuh
xabbuh reviewed Dec 16, 2014
View reviewed changes
cookbook/security/voters.rst
@@ -197,6 +197,36 @@ application configuration file with the following code.
That's it! Now, when deciding whether or not a user should have access,
the new voter will deny access to any user in the list of blacklisted IPs.

Note that the voters are only called, if any access is actually checked. So
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comma is not needed here.

@xabbuh
Copy link
Member

xabbuh commented Dec 16, 2014

However, we should first finish the discussion if the change does make sense at all.

@wouterj
Copy link
Member

wouterj commented Feb 19, 2015

@weaverryan @stof @iltar can you please share your opinions on my comment:

I believe the complete article is wrong. The voter is part of the authorization process, while the article suggests it's part of the authentication process. I think a backlist needs to be implemented by an AuthenticationListener. Security experts, please correct me if I'm wrong ;)

@linaori
Copy link
Contributor

linaori commented Feb 20, 2015

@wouterj cookbook/security/access_control.html IP Blacklisting is mentioned here, seems to me like this is part of the authorization and not authentication.

  • If you want to give permissions (authorize) based on IP, it should be in access_control or a voter, though the latter I don't really see a proper use-case for.
  • If you want to restrict logins (authentication) from certain IPs, it should be handled in your authentication process, usually done by SimpleAuthenticatorInterface.

Right now I can't check if this is still a valid case; I remember that if you login (authenticate) without setting up proper access_control and not using any isGranted (authorization) checks, the toolbar will actually show your "logged in as", but never show you as Authenticated.

As far as I know, the access_control internally calls the voters after authentication using the AccessListener and AccessMap: Symfony/Component/Security/Http/Firewall/AccessListener.php#L64-L67

@weaverryan
Copy link
Member

Hey @larsborn!

So sorry, I got a little busy :). Some points:

  1. I agree with Wouter that this entire article (it's quite old) isn't the best approach. I would implement this in a listener - simply do some logic and throw an AccessDeniedException. And since we have a different article that properly talks about voters, this one should be updated.

  2. Also, technically speaking though, I think @larsborn is right that you'd need your voters to be called at least once for this article to be correct. That highlights that voters is awkward for blacklisting.

  3. @iltar mentioned that without access_control you may show up as "logged in" but not authenticated on the toolbar. I can confirm that - but it's a separate issue - check out my comment here (click the comments tab to see... because I haven't fixed linking yet :)) https://knpuniversity.com/screencast/symfony2-ep2/user-serialization#comment-1899008818

So, I'm going to merge this, but open an issue about this whole article.

Thanks!

weaverryan added a commit that referenced this pull request Mar 15, 2015
@weaverryan
bug #4304 [DX] Suggest a hint to any auth-check (larsborn)
206e613 
This PR was submitted for the 2.5 branch but it was merged into the 2.3 branch instead (closes #4304).

Discussion
----------

[DX] Suggest a hint to any auth-check

Suggest a hint that you need a minimum of auth-check to let the voters vote.

Commits
-------

ccdda87 Suggest a hint to any auth-check
@weaverryan weaverryan mentioned this pull request Mar 15, 2015
Closed
@xabbuh xabbuh closed this Mar 16, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Status: Needs Work
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@larsborn @stof @wouterj @DavidBadura @xabbuh @linaori @weaverryan