Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFC] Check the roles in the legacy controllers #1067

Closed
wants to merge 1 commit into from
Closed

[RFC] Check the roles in the legacy controllers #1067

wants to merge 1 commit into from

Conversation

leofeyer
Copy link
Member

Instead of calling $this->User->authenticate() twice (one time in the Token class and again in the controllers), we should remove the second call and check the roles instead.

@leofeyer leofeyer added this to the 4.5.0 milestone Sep 11, 2017
@leofeyer leofeyer self-assigned this Sep 11, 2017
@leofeyer leofeyer changed the title Check the roles in the legacy controllers [RFC] Check the roles in the legacy controllers Sep 12, 2017
aschempp
aschempp reviewed Sep 13, 2017
View reviewed changes
Copy link
Member

@aschempp aschempp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Previously, $this->User->authenticate() redirected to the login screen without access, e.g. also for valid requests but on session timeout. Now we're throwing an exception. That's not really wrong, but is the exception handler somewhere and redirecting to the login screen?

I think if we have Symfony security and form_login firewall (which we will have in the backend), it will redirect if we use the correct exception.

@aschempp
Copy link
Member

Also, you want to change this in 4.5 or also in the LTS version to prevent multiple authenticate runs?

@bytehead
Copy link
Member

I think this gets obsolete with Symfony security. It will check the roles.

@leofeyer
Copy link
Member Author

Previously, $this->User->authenticate() redirected to the login screen without access, e.g. also for valid requests but on session timeout. Now we're throwing an exception.

$this->User->authenticate() is already executed in the token, so if the user is not authenticated, they will be redirected to the login screen before the controller is even constructed.

The point of this PR is to prevent the authenticate() method to run a second time – you recall?

The role check is a completely new feature, which does not change the current behavior at all. In fact, the exception will never be thrown, because if the user would not have the roles, they would have been redirected to the login screen before.

@leofeyer
Copy link
Member Author

The point of this PR is to prevent the authenticate() method to run a second time – you recall?

Actually, we should change this in Contao 4.4, too, because right now the whole authentication routine is run twice. This includes the setUserFromDb() method as well as the hooks.

@contao/developers What do you think?

@leofeyer
Copy link
Member Author

I think this gets obsolete with Symfony security. It will check the roles.

@bytehead How is this going to work in the front end? Right now we only check the roles if the page is protected.

@bytehead
Copy link
Member

@leofeyer looks and acts mostly the same as your proposal here. I'm fine with this. My PR still needs some time.

@aschempp
Copy link
Member

Actually, we should change this in Contao 4.4, too, because right now the whole authentication routine is run twice. This includes the setUserFromDb() method as well as the hooks.

Exactly what I asked in #1067 (comment) 😂

@leofeyer leofeyer force-pushed the develop branch 5 times, most recently from ed0a7e5 to 3dadd44 Compare September 28, 2017 10:39
@leofeyer leofeyer modified the milestones: 4.5.0, 4.4.7 Oct 1, 2017
@leofeyer leofeyer added bug and removed feature labels Oct 1, 2017
@leofeyer leofeyer closed this Oct 3, 2017
@leofeyer leofeyer deleted the feature/check-roles branch October 3, 2017 18:49
leofeyer added a commit that referenced this pull request Oct 3, 2017
@leofeyer
Prevent the User::authenticate() method from running twice (see #1067).
1ab1524
@leofeyer
Copy link
Member Author

leofeyer commented Oct 3, 2017

See 1ab1524.

@leofeyer leofeyer modified the milestones: 4.4.7, 4.4 May 14, 2019
leofeyer added a commit that referenced this pull request Dec 6, 2019
@leofeyer
Also apply the CS fixer to the fixtures (see #1067)
82886f3 
Description
-----------

-

Commits
-------

2307fcca Also apply the CS fixer to the fixtures
leofeyer added a commit that referenced this pull request Dec 9, 2019
@leofeyer
Re-enable the single_line_throw fixer (see #1073)
cc49750 
Description
-----------

Backports the changes from #1067 and #1071.

Commits
-------

b7271857 Re-enable the single_line_throw fixer
leofeyer added a commit that referenced this pull request Dec 9, 2019
@leofeyer
Backport the CS fixer changes (see #1072)
c1b7035 
Description
-----------

Backports the changes from #1067 and #1071.

Commits
-------

8da1a5a2 Backport the CS fixer changes (see #1071)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aschempp aschempp aschempp left review comments

Assignees

@leofeyer leofeyer

Labels
bug
Projects
None yet
Milestone
4.4
Development

Successfully merging this pull request may close these issues.
3 participants
@leofeyer @aschempp @bytehead