Comments on: How to unsecure admin generated modules in Symfony http://www.digitalbase.eu/blog/how-to-unsecure-admin-generated-modules/ A blog about webdesign, PHP, development and IT Wed, 15 Dec 2010 12:09:22 +0100 http://wordpress.org/?v=2.8.4 hourly 1 By: Tiago Carvalho http://www.digitalbase.eu/blog/how-to-unsecure-admin-generated-modules/comment-page-1/#comment-258 Tiago Carvalho Mon, 10 May 2010 15:25:18 +0000 http://www.digitalbase.eu/blog/?p=245#comment-258 Thank you! This post helped me a lot. Thank you! This post helped me a lot.

]]> By: Winzter143 http://www.digitalbase.eu/blog/how-to-unsecure-admin-generated-modules/comment-page-1/#comment-241 Winzter143 Thu, 07 Jan 2010 04:38:50 +0000 http://www.digitalbase.eu/blog/?p=245#comment-241 H! to all, I reading the symfony docs but i cant get what $credential parameter is, in the hasCredential function. Is the $credential parameter is an Object, String or what? Im newbie to this task.. Thank a lot for your reply. H! to all,

I reading the symfony docs but i cant get what $credential parameter is, in the hasCredential function. Is the $credential parameter is an Object, String or what?

Im newbie to this task..

Thank a lot for your reply.

]]> By: jukea http://www.digitalbase.eu/blog/how-to-unsecure-admin-generated-modules/comment-page-1/#comment-229 jukea Wed, 21 Oct 2009 17:34:33 +0000 http://www.digitalbase.eu/blog/?p=245#comment-229 hey look, I filed a ticket around the same time you notices that, and it has been fixed in february http://trac.symfony-project.org/ticket/5582 hey look, I filed a ticket around the same time you notices that, and it has been fixed in february

http://trac.symfony-project.org/ticket/5582

]]> By: Sebastian http://www.digitalbase.eu/blog/how-to-unsecure-admin-generated-modules/comment-page-1/#comment-204 Sebastian Mon, 22 Jun 2009 18:41:03 +0000 http://www.digitalbase.eu/blog/?p=245#comment-204 Hello to all!!! I am new as developer in symfony. I do not have a lot of experience but i think the sfGuardPlugin has an error in the hasCredential method. to solve this error I think the best way is to redefine this method like this: class myUser extends sfGuardSecurityUser { public function hasCredential($credential, $useAnd = true) { if (count($credential) == 0) return true; else return parent::hasCredential($credential,$useAnd); } } the error is that sfGuardSecurityUser do not verify if $credentia is empty. Regards! Sebastian Hello to all!!!

I am new as developer in symfony.

I do not have a lot of experience but i think the sfGuardPlugin has an error in the hasCredential method. to solve this error I think the best way is to redefine this method like this:

class myUser extends sfGuardSecurityUser
{
public function hasCredential($credential, $useAnd = true)
{
if (count($credential) == 0)
return true;
else
return parent::hasCredential($credential,$useAnd);
}
}

the error is that sfGuardSecurityUser do not verify if $credentia is empty.

Regards!

Sebastian

]]> By: jrh http://www.digitalbase.eu/blog/how-to-unsecure-admin-generated-modules/comment-page-1/#comment-185 jrh Thu, 30 Apr 2009 21:03:26 +0000 http://www.digitalbase.eu/blog/?p=245#comment-185 return sfBasicSecurityUser::hasCredential($credential, $useAnd = true); is wrong the correct answer is return sfBasicSecurityUser::hasCredential($credential, $useAnd); return sfBasicSecurityUser::hasCredential($credential, $useAnd = true); is wrong

the correct answer is

return sfBasicSecurityUser::hasCredential($credential, $useAnd);

]]> By: jrh http://www.digitalbase.eu/blog/how-to-unsecure-admin-generated-modules/comment-page-1/#comment-155 jrh Mon, 23 Mar 2009 22:21:31 +0000 http://www.digitalbase.eu/blog/?p=245#comment-155 getGuardUser() instanceof sfGuardUser && $this->getGuardUser()->getIsSuperAdmin()) { return true; } return sfBasicSecurityUser::hasCredential($credential, $useAnd = true); } } getGuardUser() instanceof sfGuardUser && $this->getGuardUser()->getIsSuperAdmin())
{
return true;
}

return sfBasicSecurityUser::hasCredential($credential, $useAnd = true);
}
}

]]> By: Tito http://www.digitalbase.eu/blog/how-to-unsecure-admin-generated-modules/comment-page-1/#comment-153 Tito Tue, 17 Mar 2009 11:42:54 +0000 http://www.digitalbase.eu/blog/?p=245#comment-153 in my case, what i've done it is to redefine the method hasCredentials in the myUser class to this: class myUser extends sfGuardSecurityUser { public function hasCredential($credentials, $useAnd = true) { if ($this->getGuardUser() && $this->getGuardUser()->getIsSuperAdmin()) { return true; } // método redefinido para o original da sfBasicSecurityUser if (!is_array($credentials)) { return in_array($credentials, $this->credentials); } // now we assume that $credentials is an array $test = false; foreach ($credentials as $credential) { // recursively check the credential with a switched AND/OR mode $test = $this->hasCredential($credential, $useAnd ? false : true); if ($useAnd) { $test = $test ? false : true; } if ($test) // either passed one in OR mode or failed one in AND mode { break; // the matter is settled } } if ($useAnd) // in AND mode we succeed if $test is false { $test = $test ? false : true; } return $test; } } the problem with the method hasCredentials from the sfGuardPlugin is that it forces you to have an object sfGuardUser, which only happens when you login. in my case, what i’ve done it is to redefine the method hasCredentials in the myUser class to this:

class myUser extends sfGuardSecurityUser
{
public function hasCredential($credentials, $useAnd = true)
{
if ($this->getGuardUser() && $this->getGuardUser()->getIsSuperAdmin())
{
return true;
}
// método redefinido para o original da sfBasicSecurityUser
if (!is_array($credentials))
{
return in_array($credentials, $this->credentials);
}

// now we assume that $credentials is an array
$test = false;

foreach ($credentials as $credential)
{
// recursively check the credential with a switched AND/OR mode
$test = $this->hasCredential($credential, $useAnd ? false : true);

if ($useAnd)
{
$test = $test ? false : true;
}

if ($test) // either passed one in OR mode or failed one in AND mode
{
break; // the matter is settled
}
}

if ($useAnd) // in AND mode we succeed if $test is false
{
$test = $test ? false : true;
}

return $test;
}
}

the problem with the method hasCredentials from the sfGuardPlugin is that it forces you to have an object sfGuardUser, which only happens when you login.

]]> By: Luciano http://www.digitalbase.eu/blog/how-to-unsecure-admin-generated-modules/comment-page-1/#comment-128 Luciano Tue, 27 Jan 2009 19:47:13 +0000 http://www.digitalbase.eu/blog/?p=245#comment-128 Answers... but not to all :( 1)Yes I did use the propel:generate-admin. 2)I didn't know you were using sfGuardPlugin. 3)Without sfGuardPlugin hasCredential() returns true, but with sfGuardPlugin it returns false, mmm why is that?? Simple beacuse hasCredential() checks differents things in sfGuardSecurityUser and in sfBasicSecurityUser. The thing is that when you extend sfGuardSecurityUser, hasCredential() checks if there is a sfGuardUser walking around, and as we don't want one of those (this is the whole point) it just returns false. I think perhaps there is something wrong, because the framework seems to not be taking into account that if you say in a module: all: is_secure: off you clearly want the framework to not check for any credential at all. I really don't know, in the meantime people we'll have to use your fix. Keep working and all the best to you. Answers… but not to all :(
1)Yes I did use the propel:generate-admin.
2)I didn’t know you were using sfGuardPlugin.
3)Without sfGuardPlugin hasCredential() returns true, but with sfGuardPlugin it returns false, mmm why is that?? Simple beacuse hasCredential() checks differents things in sfGuardSecurityUser and in sfBasicSecurityUser.
The thing is that when you extend sfGuardSecurityUser, hasCredential() checks if there is a sfGuardUser walking around, and as we don’t want one of those (this is the whole point) it just returns false. I think perhaps there is something wrong, because the framework seems to not be taking into account that if you say in a module:
all:
is_secure: off
you clearly want the framework to not check for any credential at all.
I really don’t know, in the meantime people we’ll have to use your fix.
Keep working and all the best to you.

]]> By: Bart Vanderstukken http://www.digitalbase.eu/blog/how-to-unsecure-admin-generated-modules/comment-page-1/#comment-127 Bart Vanderstukken Tue, 27 Jan 2009 15:19:59 +0000 http://www.digitalbase.eu/blog/?p=245#comment-127 Hmmm, that's strange. Few questions: 1) Did you use propel:generate-admin? I guess you did... I'm asking because the method you're describing is the default symfony behaviour (as you would expect). But that's not what's happening here... :s 2) You're probably not using sfGuardPlugin in your sandbox. THAT could be the problem! :) 3) hasCredential(array()) is probably returning true in your case, instead of false? That's what the preExecute action is returning anyway (if no credentials defined in generator.yml)... I'll try to find out if the sfGuardPlugin is indeed the problem... PS: I'm using symfony release_1_2_2 Hmmm, that’s strange.
Few questions:
1) Did you use propel:generate-admin? I guess you did…
I’m asking because the method you’re describing is the default symfony behaviour (as you would expect). But that’s not what’s happening here… :s
2) You’re probably not using sfGuardPlugin in your sandbox. THAT could be the problem! :)
3) hasCredential(array()) is probably returning true in your case, instead of false?
That’s what the preExecute action is returning anyway (if no credentials defined in generator.yml)…

I’ll try to find out if the sfGuardPlugin is indeed the problem…

PS: I’m using symfony release_1_2_2

]]> By: Luciano http://www.digitalbase.eu/blog/how-to-unsecure-admin-generated-modules/comment-page-1/#comment-126 Luciano Tue, 27 Jan 2009 14:02:38 +0000 http://www.digitalbase.eu/blog/?p=245#comment-126 I've just followed these steps to reproduce your issue using sf_sandbox 1.2.2: -I created a new propel admin module. -I secured the app, modifying /sf_sandbox_1_2/apps/frontend/config/security.yml with these values: default: is_secure: on -I tested it in the browser, i was asked to login (so far so good) -I created /sf_sandbox_1_2/apps/frontend/modules/{module_name}/config/security.yml with this content: all: is_secure: off and then tested it again in the browser... and voilà I was no longer asked to log in, I didn't touch anything in config.yml nor in actions.class.php of my module. Could it be something fixed after you downloaded your symfony? I’ve just followed these steps to reproduce your issue using sf_sandbox 1.2.2:
-I created a new propel admin module.
-I secured the app, modifying
/sf_sandbox_1_2/apps/frontend/config/security.yml with these values:
default:
is_secure: on
-I tested it in the browser, i was asked to login (so far so good)
-I created /sf_sandbox_1_2/apps/frontend/modules/{module_name}/config/security.yml with this content:
all:
is_secure: off
and then tested it again in the browser… and voilà I was no longer asked to log in, I didn’t touch anything in config.yml nor in actions.class.php of my module.
Could it be something fixed after you downloaded your symfony?

]]>