access policy deny not working?

[v.]

Hi

My controller currently has the following code in the beforeroute function: 

         if ((!$this->f3->exists('SESSION.type') && $csrf_page!=="/login") || null===$this->f3->get('SESSION')){
            $this->f3->reroute('/login');
        }
        $access=Access::instance();  
        $access->policy('deny'); // deny access to all routes by default -> this does not work?
        $access->allow('/admin*','Administrator');
               
        $access->authorize($this->f3->exists('SESSION.type') ? $this->f3->get('SESSION.type') : 0 );    

When logged in, session type contains "Administrator"

This does not seem to work: all my routes seem to be open to not logged in users.

From my understanding even the login page should be blocked with the abovecode, however this is not the case.

Admin subpages are just open access: if I go to eg.: admin/users/ I can access this page fine.

If I change to code to

....
        $access->deny('/admin*'); //add this line
        $access->allow('/admin*','Administrator');

things work as expected.

What is wrong here?

[PJH]

On Friday, May 31, 2019 at 1:56:05 PM UTC+1, v. wrote:

         if ((!$this->f3->exists('SESSION.type') && $csrf_page!=="/login") || null===$this->f3->get('SESSION')){
            $this->f3->reroute('/login');
        }
        $access=Access::instance();  

I'm having problems locating the documentation (or, indeed the code) for the Access class mentioned there....

[v.]

apologies, it is the this class: https://github.com/xfra35/f3-access

[Andrew Brookes]

 its probably easier (for me) if i tell you how i do it :)

in index i have

$access=Access::instance(); //get instance of x35 class
$access->deny('/editPage','*'); //for route /editPage with asterix i deny every body
$access->allow('/editPage','editor'); // with this i allow editor to access the route

/editPage is a route its defined in routes.ini like so:

GET|POST  /editPage=Edit->EditWeb

//the following  is a before route  class method defined in a class  controller called "Edit which is in a file file called Edit.php which i have in api directory


function beforeRoute($f3)
                   
                    {
                    $f3=Base::instance();   
                    $f3->set('CASELESS',FALSE);
                    $access =Access::instance();
                    $access->authorize($f3->get('SESSION.role'));   
                     //can temporarily disabled these so can playwith code
                     clearstatcache();
                    }
                   

basically in the above i put caseless because i found , it was possible to get around access if somebody put  for example 

/ editpage as url , the next line gets an instance, the next line will either give true or false. if  true ,it means somebody has successfully logged in & a session has been created  $f3->get('SESSION.role') simply returns "editor" in my code. So as long as session is not empty and does return editor then access will be given .

can't remember why i put clearstatcache(); in there

[xfra35]

Hi v.

Are you running the latest version of each library? (F3+Access)

Also check that the SESSION.type variable is handled correctly.

I've just tried this sample with no issue:

$f3=require('lib/base.php');

$f3->route('GET /',function(){
    echo 'Home';
});
$f3->route(['GET /admin','GET /admin/@page'],function($f3,$params){
    echo 'Admin '.@$params['page'];

});

$access=Access::instance();
$access->policy('deny');

$access->allow('/admin*','Administrator');

$access->authorize($f3->get('GET.user'));

$f3->run();

Tests:

path	status
/	401
/?user=Customer	403
/?user=Administrator	403
/admin	401
/admin?user=Customer	403
/admin?user=Administrator	200
/admin/foo	401
/admin/foo?user=Customer	403
/admin/foo?user=Administrator	200