Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DataObject][Preview] Add option to verify in controller if request comes from object preview #5164

Open
fashxp opened this issue Oct 29, 2019 · 4 comments

Comments

@fashxp
Copy link
Member

@fashxp fashxp commented Oct 29, 2019

  • check if request comes from object preview
  • check for existing admin session etc. to verify if request

then also update demo, see pimcore/demo#154

@dpfaffenbauer

This comment has been minimized.

Copy link
Contributor

@dpfaffenbauer dpfaffenbauer commented Oct 29, 2019

basically, everything for that already exists, doesn't it? so, if $requestHelper->isFrontendRequestByAdmin($request)) let you know that it is a backend admin request, so basically, if it's a fronted controller, it is a preview request. You can also fetch the preview query parameter to be absolutely sure.

@dpfaffenbauer

This comment has been minimized.

Copy link
Contributor

@dpfaffenbauer dpfaffenbauer commented Oct 29, 2019

only issue currently is #5106

@fashxp

This comment has been minimized.

Copy link
Member Author

@fashxp fashxp commented Oct 29, 2019

But isFrontendRequestByAdmin does not check, if really an admin session is there, does it?
so, if somebody just adds the parameters to the requests, she could simulate a preview request and for example access unpublished data.

Or did I miss something?

@dpfaffenbauer

This comment has been minimized.

Copy link
Contributor

@dpfaffenbauer dpfaffenbauer commented Oct 29, 2019

You can pass the isFrontendRequestByAdmin by adding on of these query parameters:

 - 'pimcore_editmode',
 - 'pimcore_preview',
 - 'pimcore_admin',
 - 'pimcore_object_preview',
 - 'pimcore_version

But yes, there is a problem, isFrontendRequestByAdmin always returns true with one of these parameters set and thus you can see unpublished data under certain circumstances.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.