10000 [Security] Expose the required roles in AccessDeniedException by Nicofuma · Pull Request #19473 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[Security] Expose the required roles in AccessDeniedException #19473

New i 10000 ssue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 9, 2016
Merged

[Security] Expose the required roles in AccessDeniedException #19473

merged 1 commit into from
Aug 9, 2016

Conversation

Nicofuma
Copy link
Contributor
@Nicofuma Nicofuma commented Jul 29, 2016
edited
Loading
Q A
Branch? master
Bug fix? no
New feature? yes
BC breaks? no
Deprecations? no
Tests pass? yes
License MIT

Nowadays it is more and more common to protect some sensitive actions and part of a website using 2FA or some re-authentication mechanism (per example, on Github you have to enter your password again when you add an ssh key). But currently, in Symfony, it is really hard to implement without having to duplicate the logic, provide an explicit list of URLs to protect or hack into the security component.

A good way to achieve that would be to add a special role (like IS_AUTHENTICATED_FULLY) and use it in the access map. But it requires us to be able to have a custom logic in an ExceptionListener depending on the roles behind an AccessDeniedException.

With this patch we could write an ExceptionListener of this kind (a similar logic could also be used in an AccessDeniedHandler):

    public function onKernelException(GetResponseForExceptionEvent $event)
    {
        $exception = $event->getException();
        do {
            if ($exception instanceof AccessDeniedException) {
                foreach ($exception->getAttributes() as $role) {
                    if ($role === 'IS_AUTHENTICATED_2FA' && !$this->accessDecisionManager->decide($this->tokenStorage->getToken(), $role, $exception->getObject())) {
                        // Start 2FA
                    }
                }
            }
        } while (null !== $exception = $exception->getPrevious());
    }

Replaces #18661

@Nicofuma Nicofuma mentioned this pull request Jul 29, 2016
Closed
@HeahDude
Copy link
Contributor

Tests are failing

Status: Needs Work

@HeahDude
Copy link
Contributor

👍 Thanks Tristan!

Status: Reviewed

@fabpot
Copy link
Member
fabpot 10000 commented Jul 29, 2016

👍

@stof
Copy link
Member
stof commented Jul 29, 2016

👍

Would be great to open a PR on SensioFrameworkExtraBundle making use of these setters when they are available, for its checks on the @Security annotation

linaori
linaori reviewed Jul 29, 2016
View reviewed changes
src/Symfony/Bundle/FrameworkBundle/Controller/Controller.php
throw $this->createAccessDeniedException($message);
$exception = $this->createAccessDeniedException($message);
$exception->setAttributes($attributes);
$exception->setObject($object);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The object doesn't have to be an object as far as I know. Since a recent version scalars are also supported I believe. Not sure if setObject is still correct in that case.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

object is the name already used by the security component

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The VoterInterface use subjet instead of object.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, I would call it Subject

@nicolas-grekas
Copy link
Member

👍

@fabpot
Copy link
Member
fabpot commented Aug 9, 2016

Thank you @Nicofuma.

@fabpot fabpot merged commit 6618c18 into symfony:master Aug 9, 2016
fabpot added a commit that referenced this pull request Aug 9, 2016
@fabpot
feature #19473 [Security] Expose the required roles in AccessDeniedEx…
90f7ff5 
…ception (Nicofuma)

This PR was merged into the 3.2-dev branch.

Discussion
----------

[Security] Expose the required roles in AccessDeniedException

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | no
| New feature?  | yes
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| License       | MIT

Nowadays it is more and more common to protect some sensitive actions and part of a website using 2FA or some re-authentication mechanism (per example, on Github you have to enter your password again when you add an ssh key). But currently, in Symfony, it is really hard to implement without having to duplicate the logic, provide an explicit list of URLs to protect or hack into the security component.

A good way to achieve that would be to add a special role (like IS_AUTHENTICATED_FULLY) and use it in the access map. But it requires us to be able to have a custom logic in an ExceptionListener depending on the roles behind an AccessDeniedException.

With this patch we could write an ExceptionListener of this kind (a similar logic could also be used in an AccessDeniedHandler):

```php
    public function onKernelException(GetResponseForExceptionEvent $event)
    {
        $exception = $event->getException();
        do {
            if ($exception instanceof AccessDeniedException) {
                foreach ($exception->getAttributes() as $role) {
                    if ($role === 'IS_AUTHENTICATED_2FA' && !$this->accessDecisionManager->decide($this->tokenStorage->getToken(), $role, $exception->getObject())) {
                        // Start 2FA
                    }
                }
            }
        } while (null !== $exception = $exception->getPrevious());
    }
```

Replaces #18661

Commits
-------

6618c18 [Security] Expose the required roles in AccessDeniedException
@xabbuh xabbuh mentioned this pull request Sep 19, 2016
Merged
fabpot added a commit that referenced this pull request Sep 19, 2016
@fabpot
minor #19969 [Security] AccessDeniedException: rename object to subje…
a7a5c52 
…ct (xabbuh)

This PR was merged into the 3.2-dev branch.

Discussion
----------

[Security] AccessDeniedException: rename object to subject

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | no
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #19473 (comment)
| License       | MIT
| Doc PR        |

With this change the name is inline with what we use in the base voter
interface.

Commits
-------

9603ffa AccessDeniedException: rename object to subject
@fabpot fabpot mentioned this pull request Oct 27, 2016
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Feature Security Status: Reviewed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@Nicofuma @HeahDude @fabpot @stof @nicolas-grekas @lyrixx @jvasseur @linaori @carsonbot
0