[RTM] Use Symfony Security for authentication purposes in Contao #685
Conversation
bytehead
force-pushed
the
feature/symfony-authentication-2
branch
from
bf65103
to
b215304
Compare
bytehead
force-pushed
the
feature/symfony-authentication-2
branch
from
8ac4255
to
f3c619d
Compare
leofeyer
changed the title
bytehead
changed the title
leofeyer
force-pushed
the
develop
branch
2 times, most recently
from
c8f2f0d
to
09536d6
Compare
bytehead
changed the title
…symfony-authentication-2
…symfony-authentication-2
src/Resources/contao/dca/tl_user.php
Outdated
| */ | ||
| public function switchUser($row, $href, $label, $title, $icon) | ||
| { | ||
| @trigger_error('Using tl_user->switchUser() has been deprecated and will no longer work in Contao 5.0. Use the switch_user_button_generator service instead', E_USER_DEPRECATED); | ||
|
|
There was a problem hiding this comment.
The rest of this method should be removed or replaces by the new switch user stuff.
| /** @var BackendUser $targetUser */ | ||
| $targetUser = $event->getTargetUser(); | ||
|
|
||
| $this->logger->info(sprintf("User %s has switched to user %s.", $user->username, $targetUser->username)); |
There was a problem hiding this comment.
The only purpose of this listener is to log the action? If that's a replacement of an existing log, we should log with a ContaoContext to make it appear in the backend log.
There was a problem hiding this comment.
That should be the replacement of the existing log, but I didn't get it how it's done to make it appear in the backend.
There was a problem hiding this comment.
There was a problem hiding this comment.
Ah, thank you! I'll update it later.
src/Resources/config/services.yml
Outdated
| - "@contao.framework" | ||
|
|
||
| contao.security.switch_user_button_generator: | ||
| class: Contao\CoreBundle\Security\User\SwitchUserButtonGenerator |
There was a problem hiding this comment.
To me this is an event (callback) listener and should be in the according namespace.
|
|
||
| if ($authorizationChecker->isGranted('ROLE_PREVIOUS_ADMIN')) { | ||
| $logoutLink = $router->generate('contao_backend', [ | ||
| '_switch_user' => '_exit', |
There was a problem hiding this comment.
this is a new feature, right? Previously a login just logged out whatever user was currently in. Might be confusing if we don't change the logout label to "switch back to X".
There was a problem hiding this comment.
The current label is Close the current session and thus not wrong in my opinion.
| $stmt->execute(); | ||
|
|
||
| if (0 === $stmt->rowCount()) { | ||
| throw new UserNotFoundException('Invalid user ID' . $row['id']); |
There was a problem hiding this comment.
This should never happen, so I would simply return empty string (remove action) in this case and not add a new exception for a never-happening case :)
| '_switch_user' => $user->username | ||
| ]); | ||
|
|
||
| return $this->twig->render('@ContaoCore/Backend/switch_user.html.twig', [ |
There was a problem hiding this comment.
Do we need a twig template for this? Generally good, but there are so many places where we currently don't…
There was a problem hiding this comment.
Yes IMHO we need exactly that. Otherwise we will end up like the DCA classes are right now with template code in the logic parts. And we have to start using (twig) templates at some point.
There was a problem hiding this comment.
ok, but then this should be a general button template, right?
There was a problem hiding this comment.
Good idea. Should be discussed with the others probably?
leofeyer
force-pushed
the
feature/symfony-authentication-2
branch
from
5cae2cf
to
7e9ecad
Compare
leofeyer
force-pushed
the
feature/symfony-authentication-2
branch
from
0424c9f
to
88860b8
Compare
| * | ||
| * @param DataContainer $dc | ||
| */ | ||
| public function checkRemoveSession($dc) |
There was a problem hiding this comment.
No BC break if you remove a public method?
There was a problem hiding this comment.
It is a BC break for sure. The question is whether out BC promise includes DCA files, which I think they don't.
| @@ -1 +0,0 @@ | |||
| <a href="{{ url }}" title="{{ title }}">{{ image | raw }}</a> | |||
| 'title' => $title, | ||
| 'image' => Image::getHtml($icon, $label), | ||
| ]); | ||
| return sprintf('<a href="%s" title="%s">%s</a>', $url, $title, Image::getHtml($icon, $label)); |
There was a problem hiding this comment.
I'm totally against to remove the template. Now we have again html somewhere in the logic.
|
The PR is almost ready to merge. There are two open issues:
Regarding 1.: We are logging "switch user" actions but not "log in as member" actions. Is this ok or should we log both or none? |
|
| $objTemplate->user = \Input::post('user'); | ||
| /** @var User $user */ | ||
| $user = $token->getUser(); | ||
| $objUser = \MemberModel::findByUsername($user->getUsername()); |
There was a problem hiding this comment.
This is also something that makes me wonder. Shouldn't $token->getUser() return the user object already? Why are we loading the member model?
There was a problem hiding this comment.
The getUser() on the token can have a fully loaded user instance, but you cannot be sure.
Normally it holds only the unserialized data from the session storage.
| @@ -13,16 +13,19 @@ | |||
| <?php endif; ?> | |||
| <input type="hidden" name="FORM_SUBMIT" value="<?= $this->formId ?>"> | |||
| <input type="hidden" name="REQUEST_TOKEN" value="{{request_token}}"> | |||
| <?php if ($this->targetPath): ?> | |||
| <input type="hidden" name="<?= $this->targetName ?>" value="<?= $this->targetPath ?>"> | |||
There was a problem hiding this comment.
I also wonder if this is prone to manipulation? @ausi /cc
There was a problem hiding this comment.
Maybe we should check, if it's an existing page from the installation?
There was a problem hiding this comment.
I don't know. It seems it is a hidden field in Symfony, too: https://github.com/symfony/symfony/blob/master/src/Symfony/Bundle/SecurityBundle/Tests/Functional/Bundle/CsrfFormLoginBundle/Form/UserLoginType.php#L47
There was a problem hiding this comment.
well you can only manipulate it through the web inspector. Which means the redirect target after login is manipulated. Can't really see an issue in that, it does not send any data to that URL.
There was a problem hiding this comment.
htmlspecialchars() is missing for $this->targetPath, either in the template or in ModuleLogin. As it is now it’s vulnerable to XSS.
leofeyer
force-pushed
the
feature/symfony-authentication-2
branch
from
1c252ad
to
94916b8
Compare
|
Thank you, big time @bytehead. |
Functionality broke with contao/core-bundle#685 as User->logout uses a RedirectResponseException.
Functionality broke with contao/core-bundle#685 as User->logout uses a RedirectResponseException.
Description ----------- Functionality broke with contao/core-bundle#685 as `User->logout()` uses a RedirectResponseException. Fixes #93. Commits ------- 14f6a80 Respect jump to on close account. da85783 Use System::getContainer() instead of Controller::getContainer()
Description ----------- This is a follow-up on #657, #677 and #682. It implements the new template loading by looking up the keys in `TL_CTE`, `TL_FFL` and `FE_MOD` as discussed in Mumble on August 29th. Commits ------- de3089b7 Hide mod_article_list when searching for custom mod_article templates 7b6ce852 Replace "root template" with "bundle template" 1ee232da Support passing an additional mapper array as second argument
This is a working draft to replace the current
simple_preauthmechanism to login backend users and frontend members with theform_loginfrom the Symfony Security Component.Please review and mention all missed topics.
ToDos:
BackendUserframework.session.cookie_lifetime)contao_)FrontendUserpostAuthenticatepostLogincheckCredentials(needs a customAuthenticationProvider)importUserpostLogoutaccountLockedstuffpostAuthenticatehookcheckCredentialshookimportUserhookpostLogouthookFixes needed:
Backend login redirect: Simple test: login, go somewhere, delete your session cookie.Config,Environment)importUseronly onPOSTrequestUserCheckerinFrontendEquatableInterfaceon User to compare the token object and DB objectBackendUser::getInstancecheck if there is a valid_security_contao_backendtoken in the actual session to restore the user fromFrontendUser::getInstancecheck if there is a valid_security_contao_frontendtoken in the actual session to restore the user fromNice to have (possibly future PRs):
DoctrineTokenProviderfor persistent remember me tokensPossible new features (future PRs):
activate,change-passwordor similar