8000 [Workflow] There are no tokens available for workflow "%s" (new security system) · Issue #39505 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[Workflow] There are no tokens available for workflow "%s" (new security system) #39505

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
lugus opened this issue Dec 14, 2020 · 6 comments
Closed

[Workflow] There are no tokens available for workflow "%s" (new security system) #39505

lugus opened this issue Dec 14, 2020 · 6 comments
Labels
Bug Status: Needs Review Workflow

Comments

@lugus
Copy link
lugus commented Dec 14, 2020
edited
Loading

Symfony version(s) affected: 5.2.0

Description
After migration to the new security system, it looks that it's not possible anymore to apply transition as an anonymous because no token is available (previously we had the AnonymousToken).

How to reproduce

  • Use the new security system.

  • Had a workflow like:

framework:
    workflows:
        user_account:
            type: 'workflow'
            supports:
                - Lugosium\Bundle\InpulsarBundle\Entity\UserAccount
            initial_marking: pending_activation
            places:
                pending_activation: ~
                enabled: ~
            transitions:
                pending_activation_to_enabled:
                    from: pending_activation
                    to: enabled

Apply transition pending_activation_to_enabled as anonymous.

Possible Solution
Support null token in:

https://github.com/symfony/workflow/blob/5.x/EventListener/GuardListener.php#L80

Additional context
User registers and his account is marked as pending_activation.
When he clicks email link to activate account, i used to apply transition pending_activation_to_enabled and then redirect user to the login page.
@lugus lugus added the Bug label Dec 14, 2020
@lyrixx
Copy link
Member
lyrixx commented Dec 15, 2020

This is a bit weird, since you are not using an expression here.

Anyway, I must work on this one 👍🏼

@lugus
Copy link
Author
lugus commented Dec 15, 2020

I searched why and it's because i have a transition enabled_to_locked that require a special ROLE, so we pass through the GuardListener via the announce method in https://github.com/symfony/workflow/blob/5.x/Workflow.php#L244 , after the transition pending_activation_to_enabled passed (which indeed does not cause directly the issue).

@lyrixx lyrixx mentioned this issue Dec 31, 2020
Closed
@lyrixx
Copy link
Member
lyrixx commented Dec 31, 2020

@wouterj Hi, I have a question for you here. We use the voter feature in the workflow, and previously there was an anon token. I always wanted to NOT use a anon token if the token storage was empty here to not hide a security hole.

I'm preparing a PR to mitigate this, but the PR goes the previous principle: I use a NullToken if the token storage is empty.

So my question is why don't you use a NullToken when the user is not connected? And another question: is there a better fix for this issue?

@lyrixx lyrixx mentioned this issue Dec 31, 2020
Merged
@wouterj
Copy link
Member
wouterj commented Jan 1, 2021

Hi! First of all: Sorry, I didn't realize that Workflow had an integration for the Security system, so we haven't thought about this at all during the refactoring.

So my question is why don't you use a NullToken when the user is not connected?

NullToken should not be used anywhere except from inside AccessDecisionManager. It has a very limited use-case (allowing voters to vote on unauthenticated sessions, e.g. allowing visitors to read public blog posts).

Any token in the new system is authenticated and represents a user. We argued that an unauthenticated session is the same as an anonymously authenticated session (in both cases, no authentication happened and we must assume that the visitor has no roles).

is there a better fix for this issue?

I would say: Not throw the exception and handle the case where there is no token as "no roles".

All expressions of security (is_granted(), is_fully_authenticated(), etc) are able to handle the no-token situation when using the experimental system. This might result in a BC break as the token, user and role_names variables will be empty in this case, but that's fine as the experimental system doesn't have to be BC (but we should document it in the UPGRADE guide).

Btw, is there a reason the workflow doesn't use the expression features of the AccessDecisionManager and instead duplicates the logic of ExpressionVoter? At first glance, it seems to be a bit fragile to duplicate this logic.

@lyrixx
Copy link
Member
lyrixx commented Jan 5, 2021

Hi! First of all: Sorry, I didn't realize that Workflow had an integration for the Security system, so we haven't thought about this at all during the refactoring.

No problem, don't worry :)

Btw, is there a reason the workflow doesn't use the expression features of the AccessDecisionManager and instead duplicates the logic of ExpressionVoter? At first glance, it seems to be a bit fragile to duplicate this logic.

When I implemented the guard feature in the workflow component, I duplicated the code from https://github.com/symfony/symfony/blob/5.x/src/Symfony/Component/Security/Core/Authorization/Voter/ExpressionVoter.php

I might re-use the ExpressionVoter instead, but now it's too late I think, since we had more available expression like is_valid()

@rufinus
Copy link
rufinus commented Jan 29, 2021
edited
Loading

Faced the same problem today - as soon as one of the transitions uses a guard, and you want to call any other (guard less) transistion via console command for example you get the error.

lyrixx added a commit that referenced this issue Feb 15, 2021
@lyrixx
bug #39671 [Worflow] Fixed GuardListener when using the new Security …
b15bfc4 
…system (lyrixx)

This PR was merged into the 5.2 branch.

Discussion
----------

[Worflow] Fixed GuardListener when using the new Security system

| Q             | A
| ------------- | ---
| Branch?       | 5.2
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #39505
| License       | MIT
| Doc PR        |

Commits
-------

bd26a79 [Worflow] Fixed GuardListener when using the new Security system
@lyrixx lyrixx closed this as completed Feb 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Status: Needs Review Workflow
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rufinus @lyrixx @wouterj @carsonbot @lugus
0