| # |
Apr 23rd 2021, 11:35 |
 paolo.bragagni |
or pherhaps I dont understand.. :) |
| # |
Apr 23rd 2021, 11:34 |
paolo.bragagni |
the best for me seems to skipAuthorization when I'll go in production |
| # |
Apr 23rd 2021, 11:33 |
paolo.bragagni |
at least It seems to me :S |
| # |
Apr 23rd 2021, 11:32 |
paolo.bragagni |
@ndm yes I've understand your explaination |
| # |
Apr 23rd 2021, 11:32 |
steinkel |
search is posting to another action then... check @ndm answer |
| # |
Apr 23rd 2021, 11:32 |
ndm |
@paolo.bragagni But you did understand my explanation, didn't you? |
| # |
Apr 23rd 2021, 11:31 |
paolo.bragagni |
when search is fired I have the 'error' and it doesnt go in index() |
| # |
Apr 23rd 2021, 11:30 |
steinkel |
then call `->authorize` in the index action |
| # |
Apr 23rd 2021, 11:30 |
paolo.bragagni |
(authorization) |
| # |
Apr 23rd 2021, 11:30 |
paolo.bragagni |
I dont want to skip auth when I search in index |
| # |
Apr 23rd 2021, 11:30 |
paolo.bragagni |
I need use authorization but Id like that search in index require authorization |
| # |
Apr 23rd 2021, 11:29 |
steinkel |
the exception is there to remind you need to do this or this action could be accessed for any authenticated user |
| # |
Apr 23rd 2021, 11:28 |
steinkel |
@paolo.bragagni if you use Authorization, you need to call at least once to either `->authorize OR ->skipAuthorization` |
| # |
Apr 23rd 2021, 11:27 |
steinkel |
sounds right to me |
| # |
Apr 23rd 2021, 11:27 |
kevin.pfeifer |
or am I wrong? ,:) |
| # |
Apr 23rd 2021, 11:23 |
kevin.pfeifer |
so `skipAuthorization` just tells the plugin that there is no authorization needed for this function |
| # |
Apr 23rd 2021, 11:20 |
kevin.pfeifer |
authentication => who are you? authorization => i know who you are, but are you allowed to do X? |
| # |
Apr 23rd 2021, 11:19 |
kevin.pfeifer |
its just that sometimes people mix up authentication and authorization |
| # |
Apr 23rd 2021, 11:19 |
kevin.pfeifer |
as I understand it `skipAuthorization` just doesn't require the `->authorizte($entity)` function to be called in that function Authentication (which is not the same as authorization) is still required |
| # |
Apr 23rd 2021, 11:16 |
paolo.bragagni |
not really the better idea of the world to call it '"skipping authorization" :) |
| # |
Apr 23rd 2021, 11:16 |
paolo.bragagni |
hahaha yes |
| # |
Apr 23rd 2021, 11:16 |
paolo.bragagni |
So probably is better to inssert "skipping authorization" |
| # |
Apr 23rd 2021, 11:16 |
ndm |
The naming is really not great. |
| # |
Apr 23rd 2021, 11:15 |
ndm |
Note that there is no security issue, "skipping authorization" will not actually skip any authoriaztion checks that are actually being performed, it's just a flag that will prevent the error that tells you about no authorization checks having been applied. |
| # |
Apr 23rd 2021, 11:14 |
paolo.bragagni |
hummmm |
| # |
Apr 23rd 2021, 11:14 |
ndm |
@paolo.bragagni That's exactly the point, you skip it on POST, which is when the component will do the redirect, ie when your controller action code will actually _not_ run. It's still a somewhat fragile construct, but without changes in the plugin, there's not too much that can be done. |
| # |
Apr 23rd 2021, 11:09 |
paolo.bragagni |
@ndm but in this way I skip auth when I post to index. I sdont think is the best way to act for security... :S |
| # |
Apr 23rd 2021, 11:01 |
st.steinkuehler |
Does anyone have experience with Web Components and CakePHP? Detailed question here: https://discourse.cakephp.org/t/web-components-cakephp/9280 - Thanks. |
| # |
Apr 23rd 2021, 11:01 |
slackebot |
component triggers the redirect. |
| # |
Apr 23rd 2021, 11:01 |
slackebot |
eg: ```public function beforeFilter(\Cake\Event\EventInterface $event) { parent::beforeFilter($event); if ( $this->request->getParam('action') === 'index' andand $this->request->is('post') ) { $this->Authorization->skipAuthorization(); } }``` I guess an event or a callback for the search component might be useful here, so that one could hook in there and be sure authorization is really only skipped when the |
| # |
Apr 23rd 2021, 11:01 |
ndm |
@paolo.bragagni I guess it's the POST to GET redirect of the search component then, it will happen before your action runs, ie before your controller action applies any authorization checks. Depending on what authorization checks you want to apply, the solution in the issue might generally be the way to go, ie add a check in `beforeFilter` for the action, and skip authorization in there, but only do that if it's a POST request, |
| # |
Apr 23rd 2021, 10:50 |
paolo.bragagni |
if I access to my action directly everything is ok, but when I fire up searching, I get 'The request to `/articles` did not apply any authorization checks.' And it seems that I dont arrive to action (index) code. |
| # |
Apr 23rd 2021, 10:48 |
paolo.bragagni |
is the same of that https://github.com/FriendsOfCake/search/issues/265 |
| # |
Apr 23rd 2021, 10:47 |
paolo.bragagni |
@ndm I'm trying to search inside index action. I dont want to skip authorization in index. |
| # |
Apr 23rd 2021, 10:38 |
kevin.pfeifer |
i am not sure what you mean @birdy247 |
| # |
Apr 23rd 2021, 10:38 |
ndm |
what does that even mean? |
| # |
Apr 23rd 2021, 10:30 |
birdy247 |
Is there a way to reinvoke a virtual property |
| # |
Apr 23rd 2021, 10:17 |
slackebot |
for specific endpoints that definitely do not need to apply any authorization checks. You can do that via the `Authorization` component's `skipAuthorization` method, eg in your controller action `$this->Authorization->skipAuthorization();` https://book.cakephp.org/authorization/2/en/component.html#skipping-authorization |
| # |
Apr 23rd 2021, 10:17 |
ndm |
@paolo.bragagni That error message is primarily a development aid (the error is being thrown at the end of a request cycle, ie after controller actions already ran, it will not prevent access), it is ment to help noticing endpoints that are missing authorization, which could be by accident. What you are doing there is disabling that check for all endpoints, and instead of doing that, it's usually better to just disable the check |
| # |
Apr 23rd 2021, 10:11 |
ndm |
@v.plancher No, I mean what you're already doing, eg selecting `'alias' => 'Model.column'` instead of just selecting `'Model.column'`. |
| # |
Apr 23rd 2021, 08:37 |
paolo.bragagni |
:( |