| # |
Apr 23rd 2021, 11:23 |
 kevin.pfeifer |
so `skipAuthorization` just tells the plugin that there is no authorization needed for this function |
| # |
Apr 23rd 2021, 11:20 |
kevin.pfeifer |
authentication => who are you? authorization => i know who you are, but are you allowed to do X? |
| # |
Apr 23rd 2021, 11:19 |
kevin.pfeifer |
its just that sometimes people mix up authentication and authorization |
| # |
Apr 23rd 2021, 11:19 |
kevin.pfeifer |
as I understand it `skipAuthorization` just doesn't require the `->authorizte($entity)` function to be called in that function Authentication (which is not the same as authorization) is still required |
| # |
Apr 23rd 2021, 11:16 |
paolo.bragagni |
not really the better idea of the world to call it '"skipping authorization" :) |
| # |
Apr 23rd 2021, 11:16 |
paolo.bragagni |
hahaha yes |
| # |
Apr 23rd 2021, 11:16 |
paolo.bragagni |
So probably is better to inssert "skipping authorization" |
| # |
Apr 23rd 2021, 11:16 |
ndm |
The naming is really not great. |
| # |
Apr 23rd 2021, 11:15 |
ndm |
Note that there is no security issue, "skipping authorization" will not actually skip any authoriaztion checks that are actually being performed, it's just a flag that will prevent the error that tells you about no authorization checks having been applied. |
| # |
Apr 23rd 2021, 11:14 |
paolo.bragagni |
hummmm |
| # |
Apr 23rd 2021, 11:14 |
ndm |
@paolo.bragagni That's exactly the point, you skip it on POST, which is when the component will do the redirect, ie when your controller action code will actually _not_ run. It's still a somewhat fragile construct, but without changes in the plugin, there's not too much that can be done. |
| # |
Apr 23rd 2021, 11:09 |
paolo.bragagni |
@ndm but in this way I skip auth when I post to index. I sdont think is the best way to act for security... :S |
| # |
Apr 23rd 2021, 11:01 |
st.steinkuehler |
Does anyone have experience with Web Components and CakePHP? Detailed question here: https://discourse.cakephp.org/t/web-components-cakephp/9280 - Thanks. |
| # |
Apr 23rd 2021, 11:01 |
slackebot |
component triggers the redirect. |
| # |
Apr 23rd 2021, 11:01 |
slackebot |
eg: ```public function beforeFilter(\Cake\Event\EventInterface $event) { parent::beforeFilter($event); if ( $this->request->getParam('action') === 'index' andand $this->request->is('post') ) { $this->Authorization->skipAuthorization(); } }``` I guess an event or a callback for the search component might be useful here, so that one could hook in there and be sure authorization is really only skipped when the |
| # |
Apr 23rd 2021, 11:01 |
ndm |
@paolo.bragagni I guess it's the POST to GET redirect of the search component then, it will happen before your action runs, ie before your controller action applies any authorization checks. Depending on what authorization checks you want to apply, the solution in the issue might generally be the way to go, ie add a check in `beforeFilter` for the action, and skip authorization in there, but only do that if it's a POST request, |
| # |
Apr 23rd 2021, 10:50 |
paolo.bragagni |
if I access to my action directly everything is ok, but when I fire up searching, I get 'The request to `/articles` did not apply any authorization checks.' And it seems that I dont arrive to action (index) code. |
| # |
Apr 23rd 2021, 10:48 |
paolo.bragagni |
is the same of that https://github.com/FriendsOfCake/search/issues/265 |
| # |
Apr 23rd 2021, 10:47 |
paolo.bragagni |
@ndm I'm trying to search inside index action. I dont want to skip authorization in index. |
| # |
Apr 23rd 2021, 10:38 |
kevin.pfeifer |
i am not sure what you mean @birdy247 |
| # |
Apr 23rd 2021, 10:38 |
ndm |
what does that even mean? |
| # |
Apr 23rd 2021, 10:30 |
birdy247 |
Is there a way to reinvoke a virtual property |
| # |
Apr 23rd 2021, 10:17 |
slackebot |
for specific endpoints that definitely do not need to apply any authorization checks. You can do that via the `Authorization` component's `skipAuthorization` method, eg in your controller action `$this->Authorization->skipAuthorization();` https://book.cakephp.org/authorization/2/en/component.html#skipping-authorization |
| # |
Apr 23rd 2021, 10:17 |
ndm |
@paolo.bragagni That error message is primarily a development aid (the error is being thrown at the end of a request cycle, ie after controller actions already ran, it will not prevent access), it is ment to help noticing endpoints that are missing authorization, which could be by accident. What you are doing there is disabling that check for all endpoints, and instead of doing that, it's usually better to just disable the check |
| # |
Apr 23rd 2021, 10:11 |
ndm |
@v.plancher No, I mean what you're already doing, eg selecting `'alias' => 'Model.column'` instead of just selecting `'Model.column'`. |
| # |
Apr 23rd 2021, 08:37 |
paolo.bragagni |
:( |
| # |
Apr 23rd 2021, 08:37 |
paolo.bragagni |
I've change to this ```$middlewareQueue->add(new AuthorizationMiddleware($this, [ 'requireAuthorizationCheck' => false ]));``` and now search is working, but I dont know what does it means |
| # |
Apr 23rd 2021, 07:57 |
v.plancher |
@ndm What do you mean by "using custom aliases"? Do you refer to setting manually a `->join()` (instead of `leftJoinWith`)? |
| # |
Apr 23rd 2021, 06:36 |
paolo.bragagni |
when I filter I get 'The request to `/articles` did not apply any authorization checks.' |
| # |
Apr 23rd 2021, 06:35 |
paolo.bragagni |
hi all. some problems with search plugin (FoC) |
| # |
Apr 23rd 2021, 06:07 |
k4t |
Hi guys, my customer has own portel under its domain: example.com and I created for him another portal in CakePHP which will be stored on my company servers. Now customer wants to have my portal under his domain under following url: example.com/my-portal - is it possible? Normally I would expect separate domain or subdomain from the customer for my portal. |
| # |
Apr 23rd 2021, 05:49 |
admad |
@greg138 just curious why you had to rename `groups`, the reserved word is `group`. |
| # |
Apr 23rd 2021, 04:31 |
greg138 |
There's a bunch of new keywords added in v8. Just had to rename my "groups" table (for role-based access) because of this. |
| # |
Apr 23rd 2021, 04:31 |
greg138 |
My understanding is that the performance penalty is in the Cake side, and adds maybe a ms or something per query. If you have hundreds of queries, that can add up to a sizable penalty. If you have one very long-running query, it's an insignificant drop in the bucket. And I think (but have never needed it...) that there's a way to enable it just for a particular query and disable again afterwards? |
| # |
Apr 22nd 2021, 21:45 |
richard |
words to avoid when naming db columns |
| # |
Apr 22nd 2021, 21:45 |
richard |
@umer936 if you want to stop using quoteidentifiers one day: https://dev.mysql.com/doc/refman/5.7/en/keywords.html |
| # |
Apr 22nd 2021, 21:04 |
umer936 |
Oof. Makes sense though... This query in general is pretty rough ... It takes like 2min :P |
| # |
Apr 22nd 2021, 20:52 |
greg138 |
Beware that quoteIdentifiers does come with a performance penalty. :( |
| # |
Apr 22nd 2021, 19:40 |
umer936 |
Thanks y'all! |
| # |
Apr 22nd 2021, 19:40 |
umer936 |
quoteIdentifiers have fixed the issue :) |
| # |
Apr 22nd 2021, 19:35 |
kevin.pfeifer |
i just checked it with cake4 and there it doesn’t have that weird behaviour |