$objectIdentity = new ObjectIdentity('class', $fqcn); is really
equals the $objectIdentity used in you isGranted call.
The only thing I can imagine is that they aren't.
> if ($this->securityContext->isGranted('OWNER', $objectIdentity) ===
> false) {
> throw new AccessDeniedException();
> }
> And now, access is always denied, even if I log in with a user that has the
> ROLE_ADMIN role. What am I doing wrong?
> Thanks,
> Gergely
> --
> If you want to report a vulnerability issue on symfony, please send it to
> security at symfony-project.com
> You received this message because you are subscribed to the Google
> Groups "Symfony2" group.
> To post to this group, send email to symfony2@googlegroups.com
> To unsubscribe from this group, send email to
> symfony2+unsubscribe@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/symfony2?hl=en
--new getunik product-------------------------
Fundraising via SMS! Donations via SMS are fast, convenient and low priced!
www.getunik.com/smsspenden (in german)
*****************************************************************
think before you print - for the sake of nature
*****************************************************************
> $objectIdentity = new ObjectIdentity('class', $fqcn); is really
> equals the $objectIdentity used in you isGranted call.
> The only thing I can imagine is that they aren't.
> On Thu, Aug 30, 2012 at 2:59 PM, Gergely Polonkai <pol...@w00d5t0ck.info>
> wrote:
> > Hello,
> > if ($this->securityContext->isGranted('OWNER', $objectIdentity) ===
> > false) {
> > throw new AccessDeniedException();
> > }
> > And now, access is always denied, even if I log in with a user that has
> the
> > ROLE_ADMIN role. What am I doing wrong?
> > Thanks,
> > Gergely
> > --
> > If you want to report a vulnerability issue on symfony, please send it to
> > security at symfony-project.com
> > You received this message because you are subscribed to the Google
> > Groups "Symfony2" group.
> > To post to this group, send email to symfony2@googlegroups.com
> > To unsubscribe from this group, send email to
> > symfony2+unsubscribe@googlegroups.com
> > For more options, visit this group at
> > http://groups.google.com/group/symfony2?hl=en
> --new getunik product-------------------------
> Fundraising via SMS! Donations via SMS are fast, convenient and low
> priced!
> www.getunik.com/smsspenden (in german)
> *****************************************************************
> think before you print - for the sake of nature
> *****************************************************************
> --
> If you want to report a vulnerability issue on symfony, please send it to
> security at symfony-project.com
> You received this message because you are subscribed to the Google
> Groups "Symfony2" group.
> To post to this group, send email to symfony2@googlegroups.com
> To unsubscribe from this group, send email to
> symfony2+unsubscribe@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/symfony2?hl=en
I have found since then that an insertClassAce() method also exists. I've
emptied my ACL tables, created the ACL with insertClassAce instead of
insertObjectAce, but the result is the same: access denied is thrown when
it should not be. With this method, the debug message is still the same:
ACL found, no ACEs applicable...
2012/8/30 Gergely Polonkai <pol...@w00d5t0ck.info>
>> $objectIdentity = new ObjectIdentity('class', $fqcn); is really
>> equals the $objectIdentity used in you isGranted call.
>> The only thing I can imagine is that they aren't.
>> On Thu, Aug 30, 2012 at 2:59 PM, Gergely Polonkai <pol...@w00d5t0ck.info>
>> wrote:
>> > Hello,
>> > if ($this->securityContext->isGranted('OWNER', $objectIdentity) ===
>> > false) {
>> > throw new AccessDeniedException();
>> > }
>> > And now, access is always denied, even if I log in with a user that has
>> the
>> > ROLE_ADMIN role. What am I doing wrong?
>> > Thanks,
>> > Gergely
>> > --
>> > If you want to report a vulnerability issue on symfony, please send it
>> to
>> > security at symfony-project.com
>> > You received this message because you are subscribed to the Google
>> > Groups "Symfony2" group.
>> > To post to this group, send email to symfony2@googlegroups.com
>> > To unsubscribe from this group, send email to
>> > symfony2+unsubscribe@googlegroups.com
>> > For more options, visit this group at
>> > http://groups.google.com/group/symfony2?hl=en
>> --new getunik product-------------------------
>> Fundraising via SMS! Donations via SMS are fast, convenient and low
>> priced!
>> www.getunik.com/smsspenden (in german)
>> *****************************************************************
>> think before you print - for the sake of nature
>> *****************************************************************
>> --
>> If you want to report a vulnerability issue on symfony, please send it to
>> security at symfony-project.com
>> You received this message because you are subscribed to the Google
>> Groups "Symfony2" group.
>> To post to this group, send email to symfony2@googlegroups.com
>> To unsubscribe from this group, send email to
>> symfony2+unsubscribe@googlegroups.com
>> For more options, visit this group at
>> http://groups.google.com/group/symfony2?hl=en
As soon as I make this change in Symfony sources, everything works like
charm.
--
"You need to believe in things that aren't true. How else can they become?"
- Terry Pratchett
2012/8/30 Gergely Polonkai <pol...@w00d5t0ck.info>
> I have found since then that an insertClassAce() method also exists. I've
> emptied my ACL tables, created the ACL with insertClassAce instead of
> insertObjectAce, but the result is the same: access denied is thrown when
> it should not be. With this method, the debug message is still the same:
> ACL found, no ACEs applicable...
> 2012/8/30 Gergely Polonkai <pol...@w00d5t0ck.info>
>>> $objectIdentity = new ObjectIdentity('class', $fqcn); is really
>>> equals the $objectIdentity used in you isGranted call.
>>> The only thing I can imagine is that they aren't.
>>> On Thu, Aug 30, 2012 at 2:59 PM, Gergely Polonkai <pol...@w00d5t0ck.info>
>>> wrote:
>>> > Hello,
>>> > if ($this->securityContext->isGranted('OWNER', $objectIdentity) ===
>>> > false) {
>>> > throw new AccessDeniedException();
>>> > }
>>> > And now, access is always denied, even if I log in with a user that
>>> has the
>>> > ROLE_ADMIN role. What am I doing wrong?
>>> > Thanks,
>>> > Gergely
>>> > --
>>> > If you want to report a vulnerability issue on symfony, please send it
>>> to
>>> > security at symfony-project.com
>>> > You received this message because you are subscribed to the Google
>>> > Groups "Symfony2" group.
>>> > To post to this group, send email to symfony2@googlegroups.com
>>> > To unsubscribe from this group, send email to
>>> > symfony2+unsubscribe@googlegroups.com
>>> > For more options, visit this group at
>>> > http://groups.google.com/group/symfony2?hl=en
>>> --new getunik product-------------------------
>>> Fundraising via SMS! Donations via SMS are fast, convenient and low
>>> priced!
>>> www.getunik.com/smsspenden (in german)
>>> *****************************************************************
>>> think before you print - for the sake of nature
>>> *****************************************************************
>>> --
>>> If you want to report a vulnerability issue on symfony, please send it
>>> to security at symfony-project.com
>>> You received this message because you are subscribed to the Google
>>> Groups "Symfony2" group.
>>> To post to this group, send email to symfony2@googlegroups.com
>>> To unsubscribe from this group, send email to
>>> symfony2+unsubscribe@googlegroups.com
>>> For more options, visit this group at
>>> http://groups.google.com/group/symfony2?hl=en
Okay, if anyone is interested, here are my results.
Both my Users and Roles are loaded from the ORM. Also, my Role entity has a
childRoles property, which is a self-referencing manyToMany mapping. My
role hierarchy implementation worked so the getReachableRoles() method
returned an array of Role entities. As soon as I return an array of strings
(string representations of the Role entities, e.g $role->getRole()), it
starts to work.
This is a bit awful if you ask me, but Symfony developers say that my
previous workaround (when I modified the Symfony sources) can address a
security issue (although they never talked about any details), so I went
this way.
Best,
Gergely
--
"You need to believe in things that aren't true. How else can they become?"
- Terry Pratchett
> As soon as I make this change in Symfony sources, everything works like
> charm.
> --
> "You need to believe in things that aren't true. How else can they
> become?" - Terry Pratchett
> 2012/8/30 Gergely Polonkai <pol...@w00d5t0ck.info>
>> I have found since then that an insertClassAce() method also exists. I've
>> emptied my ACL tables, created the ACL with insertClassAce instead of
>> insertObjectAce, but the result is the same: access denied is thrown when
>> it should not be. With this method, the debug message is still the same:
>> ACL found, no ACEs applicable...
>> 2012/8/30 Gergely Polonkai <pol...@w00d5t0ck.info>
>>>> $objectIdentity = new ObjectIdentity('class', $fqcn); is really
>>>> equals the $objectIdentity used in you isGranted call.
>>>> The only thing I can imagine is that they aren't.
>>>> On Thu, Aug 30, 2012 at 2:59 PM, Gergely Polonkai <
>>>> pol...@w00d5t0ck.info> wrote:
>>>> > Hello,
>>>> > if ($this->securityContext->isGranted('OWNER', $objectIdentity)
>>>> ===
>>>> > false) {
>>>> > throw new AccessDeniedException();
>>>> > }
>>>> > And now, access is always denied, even if I log in with a user that
>>>> has the
>>>> > ROLE_ADMIN role. What am I doing wrong?
>>>> > Thanks,
>>>> > Gergely
>>>> > --
>>>> > If you want to report a vulnerability issue on symfony, please send
>>>> it to
>>>> > security at symfony-project.com
>>>> > You received this message because you are subscribed to the Google
>>>> > Groups "Symfony2" group.
>>>> > To post to this group, send email to symfony2@googlegroups.com
>>>> > To unsubscribe from this group, send email to
>>>> > symfony2+unsubscribe@googlegroups.com
>>>> > For more options, visit this group at
>>>> > http://groups.google.com/group/symfony2?hl=en
>>>> --new getunik product-------------------------
>>>> Fundraising via SMS! Donations via SMS are fast, convenient and low
>>>> priced!
>>>> www.getunik.com/smsspenden (in german)
>>>> *****************************************************************
>>>> think before you print - for the sake of nature
>>>> *****************************************************************
>>>> --
>>>> If you want to report a vulnerability issue on symfony, please send it
>>>> to security at symfony-project.com
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Symfony2" group.
>>>> To post to this group, send email to symfony2@googlegroups.com
>>>> To unsubscribe from this group, send email to
>>>> symfony2+unsubscribe@googlegroups.com
>>>> For more options, visit this group at
>>>> http://groups.google.com/group/symfony2?hl=en
After going further with this new implementation of my RoleHierarchy class,
it turned out that
$this->get('security.context')->is_granted('ROLE_SOMETHING') stops working
with the array-of-strings way. So on to a next attempt (sorry for making a
developer blog-like stuff of this post...)
So in my pain my last hope was "extends". After I changed my Role entity to
extend Symfony's Role object (Symfony\Component\Security\Role\Role), it
seems to work, now with both access checking methods. But it seems waaay
too ugly for me.
> Okay, if anyone is interested, here are my results.
> Both my Users and Roles are loaded from the ORM. Also, my Role entity has
> a childRoles property, which is a self-referencing manyToMany mapping. My
> role hierarchy implementation worked so the getReachableRoles() method
> returned an array of Role entities. As soon as I return an array of strings
> (string representations of the Role entities, e.g $role->getRole()), it
> starts to work.
> This is a bit awful if you ask me, but Symfony developers say that my
> previous workaround (when I modified the Symfony sources) can address a
> security issue (although they never talked about any details), so I went
> this way.
> Best,
> Gergely
> --
> "You need to believe in things that aren't true. How else can they
> become?" - Terry Pratchett
> 2012/9/1 Gergely Polonkai <pol...@w00d5t0ck.info>
>> Since then, I have found an issue in Symfony's GitHub:
>> As soon as I make this change in Symfony sources, everything works like
>> charm.
>> --
>> "You need to believe in things that aren't true. How else can they
>> become?" - Terry Pratchett
>> 2012/8/30 Gergely Polonkai <pol...@w00d5t0ck.info>
>>> I have found since then that an insertClassAce() method also exists.
>>> I've emptied my ACL tables, created the ACL with insertClassAce instead of
>>> insertObjectAce, but the result is the same: access denied is thrown when
>>> it should not be. With this method, the debug message is still the same:
>>> ACL found, no ACEs applicable...
>>> 2012/8/30 Gergely Polonkai <pol...@w00d5t0ck.info>
>>>>> $objectIdentity = new ObjectIdentity('class', $fqcn); is really
>>>>> equals the $objectIdentity used in you isGranted call.
>>>>> The only thing I can imagine is that they aren't.
>>>>> On Thu, Aug 30, 2012 at 2:59 PM, Gergely Polonkai <
>>>>> pol...@w00d5t0ck.info> wrote:
>>>>> > Hello,
>>>>> > if ($this->securityContext->isGranted('OWNER', $objectIdentity)
>>>>> ===
>>>>> > false) {
>>>>> > throw new AccessDeniedException();
>>>>> > }
>>>>> > And now, access is always denied, even if I log in with a user that
>>>>> has the
>>>>> > ROLE_ADMIN role. What am I doing wrong?
>>>>> > Thanks,
>>>>> > Gergely
>>>>> > --
>>>>> > If you want to report a vulnerability issue on symfony, please send
>>>>> it to
>>>>> > security at symfony-project.com
>>>>> > You received this message because you are subscribed to the Google
>>>>> > Groups "Symfony2" group.
>>>>> > To post to this group, send email to symfony2@googlegroups.com
>>>>> > To unsubscribe from this group, send email to
>>>>> > symfony2+unsubscribe@googlegroups.com
>>>>> > For more options, visit this group at
>>>>> > http://groups.google.com/group/symfony2?hl=en
>>>>> --new getunik product-------------------------
>>>>> Fundraising via SMS! Donations via SMS are fast, convenient and low
>>>>> priced!
>>>>> www.getunik.com/smsspenden (in german)
>>>>> *****************************************************************
>>>>> think before you print - for the sake of nature
>>>>> *****************************************************************
>>>>> --
>>>>> If you want to report a vulnerability issue on symfony, please send it
>>>>> to security at symfony-project.com
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "Symfony2" group.
>>>>> To post to this group, send email to symfony2@googlegroups.com
>>>>> To unsubscribe from this group, send email to
>>>>> symfony2+unsubscribe@googlegroups.com
>>>>> For more options, visit this group at
>>>>> http://groups.google.com/group/symfony2?hl=en
On Saturday, September 1, 2012 11:10:42 PM UTC+2, Gergely Polonkai wrote:
> After going further with this new implementation of my RoleHierarchy > class, it turned out that > $this->get('security.context')->is_granted('ROLE_SOMETHING') stops working > with the array-of-strings way. So on to a next attempt (sorry for making a > developer blog-like stuff of this post...)
> So in my pain my last hope was "extends". After I changed my Role entity > to extend Symfony's Role object (Symfony\Component\Security\Role\Role), it > seems to work, now with both access checking methods. But it seems waaay > too ugly for me.
the solution i opted for was to leave the symfony source code as it is (seeing as the pull request was rejected in a rather dismissive way) and to implement the SecurityIdentityRetrievalStrategyInterface in a custom class and hooked that into security.yml.
https://gist.github.com/3607658 -- for the implementation and the security.yml configuration. lines 58-63 are basically the same as my pull request and my code now uses this RetrievalStrategy rather than symfony's built-in one. it's a bit b0rked to have to do something like this rather than use the built-in system, but it works and there is no need to change my entities. i'd still be interested in johschmitt's reasoning as to why this is a security problem though... :)
