Using Symfony2's AccessDeniedHandlerInterface - security

I am trying to get my security stuff setup for symfony2 and I have it working so far, but now I need to do some more fancy things. I am currently using everything dealing with PreAuthentication (I use a third party component for logging in and session management). That part is working great in tandem with the JMS security bundle.
Now I am to the point when I want to catch the users that are throwing 403s so I can just forward them to the login page of the third party component that I am using. I think my best bet is to add an exception handler to the exception listener. I am looking at the AccessDeniedHandlerInterface.
Is this the right direction for me to be going?
How do I add this handler to the exception listener?
EDIT:
I ended up doing something similar. I created a service that is prompted on the kernel.exception event. services.yml looks like this:
services:
kernel.listener.accessDenied:
class: Fully\Qualified\Namespace\Path\To\Class
tags:
- { name: kernel.event_listener, event: kernel.exception, method: onAccessDeniedException }
and the class it self:
<?php
namespace Fully\Qualified\Namespace\Path\To;
use Symfony\Component\HttpKernel\Event\GetResponseForExceptionEvent,
Symfony\Component\HttpFoundation\Response,
Symfony\Component\Security\Core\Exception\AccessDeniedException;
class Class
{
public function onAccessDeniedException(GetResponseForExceptionEvent $event)
{
$exception = $event->getException();
//Get the root cause of the exception.
while (null !== $exception->getPrevious()) {
$exception = $exception->getPrevious();
}
if ($exception instanceof AccessDeniedException) {
//Forward to third-party.
}
}
}

This sounds about right.
Or, if you're specifically interested in AccessDeniedException you could also define access_denied_handler within your firewall in security.yml:
security:
firewalls:
my_firewall:
# ...
access_denied_handler: kernel.listener.access_denied.handler
# ...
Then define your service in your services.xml or equivalent:
<parameters>
<parameter key="kernel.listener.security.class">Path\To\Your\Class</parameter>
</parameters>
<service id="kernel.listener.access_denied.handler" class="%kernel.listener.security.class%">
<tag name="kernel.event_listener" event="security.kernel_response" method="handle" />
</service>
The handler class:
use \Symfony\Component\Security\Http\Authorization\AccessDeniedHandlerInterface;
class MyAccessDeniedHandler implements AccessDeniedHandlerInterface
{
public function handle(Request $request, AccessDeniedException $accessDeniedException)
{
// do something with your exception and return Response object (plain message of rendered template)
}
}
You can find complete Security reference of Symfony2 here: http://symfony.com/doc/2.8/reference/configuration/security.html

Related

Shopware How to get SalesChannelContext in OrderWrittenEvent in order to send Mail?

I have a situation where I want to send emails from the order written event whenever an order has been updated according to some set of conditions that I will implement (for example an API response error) But unfortunately I have been unable to do so.
I first created a controller and an email service which uses the abstract email service of shopware And from my controller I'm able to send an email But when I tried to do the same in the event,I quickly realized that it wasn't doing exactly what I was expecting it to do. After some research on it, I saw that the event actually don't have access to the sales channel context so I tried multiple different ways to solve this issue but I'm still stuck. Can somebody please guide me on how I can implement that? thank you very much.
an example of what I tried is to call the store API in order to get the context of the saleschannel to use it in my sendMail function But it was giving errors such as:
request.CRITICAL: Uncaught PHP Exception TypeError: "Argument 5 passed to Swag\BasicExample\Service\EmailService::sendMail() must be an instance of Shopware\Core\System\SalesChannel\SalesChannelContext, instance of stdClass given.
I obviously understand that I have to give it a Shopware\Core\System\SalesChannel\SalesChannelContext not an STD class but how can I do that? since it doesn't really see the channel context.
If you do have an instance of OrderEntity you can rebuild the SalesChannelContext from the existing order using the OrderConverter service.
<service id="Foo\MyPlugin\Subscriber\MySubscriber">
<argument type="service" id="Shopware\Core\Checkout\Cart\Order\OrderConverter"/>
<argument type="service" id="order.repository"/>
<tag name="kernel.event_subscriber"/>
</service>
class MySubscriber implements EventSubscriberInterface
{
private OrderConverter $orderConverter;
private EntityRepository $repository;
public function __construct(
OrderConverter $orderConverter,
EntityRepository $repository
) {
$this->orderConverter = $orderConverter;
$this->repository = $repository;
}
public static function getSubscribedEvents(): array
{
return [
OrderEvents::ORDER_WRITTEN_EVENT => 'onOrderWritten',
];
}
public function onOrderWritten(EntityWrittenEvent $event): void
{
foreach ($event->getWriteResults() as $writeResult) {
$orderId = $writeResult->getPrimaryKey();
$criteria = new Criteria([$orderId]);
$criteria->addAssociation('transactions');
$criteria->addAssociation('orderCustomer');
$order = $this->repository
->search($criteria, $event->getContext())->first();
if (!$order instanceof OrderEntity) {
continue;
}
$salesChannelContext = $this->orderConverter
->assembleSalesChannelContext($order, $event->getContext());
// ...
}
}
}

Sylius: How to create listener base on Entity Implementing SyliusResourceBundle

I am beginner in sylius work and i would like to create adjustement on order item before it will be persist in database. So i create a listener base on sylius.order_item.pre_create event as it is said in the documentation https://docs.sylius.com/en/1.5/book/architecture/events.html
All Sylius bundles are using SyliusResourceBundle, which has some built-in events on this format for exemple
sylius.resource.pre_create
Her is my Listener Config
services:
app.listener.order_item:
class: App\EventListener\OrderItemListener
tags:
- { name: kernel.event_listener, event: sylius.order_item.pre_create, method: onSyliusOrderItemPreCreate }
Her is my Listener Class
<?php
namespace App\EventListener;
use Symfony\Component\EventDispatcher\GenericEvent;
use Sylius\Component\Core\Model\ShopUserInterface;
use App\Entity\Order\OrderItem;
use App\Entity\Order\Order;
use App\Entity\Order\Adjustement;
use App\Repository\Channel\ChannelPricingRepository;
use Sylius\Component\Channel\Context\ChannelContextInterface;
use Sylius\Component\Order\Factory\AdjustmentFactoryInterface;
class OrderItemListener
{
public function onSyliusOrderItemPreCreate(GenericEvent $event)
{
var_dump(''); die;
$orderItem = $event->getSubject();
Assert::isInstanceOf($orderItem, OrderItem::class);
}
}
But nothing happens when i add a new product to card. What i miss? May be i don't understand well concept or i make thing in wrong way. Please help me.
I have found solution for my problem. In fact when adding product to card route sylius_shop_ajax_cart_add_item is called with post method. Doing bin/console debug:router sylius_shop_ajax_cart_add_item show that Sylius\Bundle\OrderBundle\Controller\OrderItemController::addAction method is excecuted. In this one $this->eventDispatcher->dispatchPreEvent(CartActions::ADD, $configuration, $orderItem); is called and CartActions::ADD = 'add'.
So the event her is sylius.order_item.pre_add not sylius.order_item.pre_create as i made it.
services:
app.listener.order_item:
class: App\EventListener\OrderItemListener
tags:
- { name: kernel.event_listener, event: sylius.order_item.pre_add, method: onSyliusOrderItemPreAdd }
thanks.

How do I apply a custom ServiceStack RequestFilterAttribute to an auto-generated Service?

I have a custom RequestFilterAttribute that I am applying to my ServiceStack services:
[MyCustomAttribute]
public class MyService : ServiceStack.Service {...
I have recently begun using the AutoQuery feature (which is awesome) but I'm wondering how to apply MyCustomAttribute to the auto-generated services that you "get for free" when your request DTO inherits from QueryBase.
I could certainly add methods to my service with the "magic" AutoQuery code:
SqlExpression<DTO> sqlExpression = AutoQuery.CreateQuery(request, Request.GetRequestParams());
QueryResponse<DTO> response = AutoQuery.Execute(request, sqlExpression);
but I'm hoping there's a better way?
If you wanted to customize the AutoQuery behavior you should first take a look at the extensibility options using Query Filters provides.
Otherwise you should be able to add the RequestFilter Attribute to the Request DTO itself, i.e:
[MyCustomAttribute]
public class MyQuery : QueryBase<Poco> {}
Alternatively you can get a reference to the auto-generated Service using:
var autoQueryService = appHost.Metadata.GetServiceTypeByRequest(typeof(MyQuery));
And then use the dynamic API to add custom attributes to it, e.g:
autoQueryService
.AddAttributes(new MyCustomAttribute { ... });
Since the Services are only generated and registered once the AutoQueryFeature Plugin is executed you'll only be able to access the service after all plugins are loaded which you can do:
1) In your own plugin by implementing the IPostInitPlugin Interface
2) By registering a AfterInitCallbacks handler:
this.AfterInitCallbacks.Add(appHost => { ... });
3) By overriding OnAfterInit() virtual method in your AppHost, e.g:
public override void OnAfterInit()
{
...
base.OnAfterInit();
}

Black-hole error when route pointed to a class that extends plugin and uses extended class

In routes I have
Router::connect('/opauth-complete/*', array('controller' => 'app_users', 'action' => 'opauth_complete'));
If I change pointer to controller app_users with anything else and create controller everything works with no error. But I need it to work with AppUsersController.
AppUsersController looks like this
App::uses('UsersController', 'Users.Controller');
class AppUsersController extends UsersController {
public function beforeFilter() {
parent::beforeFilter();
$this->User = ClassRegistry::init('AppUser');
}
// ...
// ...
public function opauth_complete() {
die(1);
}
// ...
// ...
}
So, plugin is CakeDC Users and another plugin that goes to /example/callback after /example/auth/facebook is Opauth plugin.
Error message looks like this
The request has been black-holed
Error: The requested address '/example/opauth-complete' was not found on this server.
This is perfectly possible to make these two plugins work together; when browser points to /example/auth/facebook, it redirects to /example/auth/callback and somehow it needs opauth-complete route to link to specific method.
All works if not pointed to app_users that extends plugin, uses plugin. Does not work only with this case. How can users of these two plugins get around such situation.
I solved it by disabling Security component on Opauth action in my AppUsersController. Thing is that Opauth transfers data using POST and you should either change a method of it (ie: use Sessions, GET) or disable Security component.
For a method change use this in your bootstrap.php or core.php
Configure::write('Opauth.callback_transport', 'session'); // you can try 'get' too
To follow my approach add this to a controller where error occurs and where you place your opauth_complete method
public function beforeFilter() {
// ...
if (isset($this->Security) && $this->action == 'opauth_complete') {
$this->Security->validatePost = false;
$this->Security->csrfCheck = false;
}
// ...
}
P.S. Changing method to Sessions has its drawbacks, you can take a look at comments here at Github Opauth issue #16

How to give security voter access to current object

I want to use a Voter to only allow owners to edit a project object in my application.
I have a route /project/42/edit that invokes my action ProjectController.editAction(Project $project). I use a type hint (Project $project) to automatically invoke the ParamConverter to convert the ID 42 from the URI into a project object. This works nicely for the controller action, however it seems to be invoked too late for the voter. Its vote() method gets called with the request as 2nd parameter, not my project.
Is there a way to pass the project to the voter without having to retrieve it from the database again?
UPDATE: I learned that I have to manually call isGranted() on the security context in the edit method. This is very similar in approach to this answer.
Here is my Voter:
namespace FUxCon2013\ProjectsBundle\Security;
use FUxCon2013\ProjectsBundle\Entity\Project;
use Symfony\Component\BrowserKit\Request;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
class OwnerVoter implements VoterInterface
{
public function __construct(ContainerInterface $container)
{
$this->container = $container;
}
public function supportsAttribute($attribute)
{
return $attribute == 'MAY_EDIT';
}
public function supportsClass($class)
{
// your voter supports all type of token classes, so return true
return true;
}
function vote(TokenInterface $token, $object, array $attributes)
{
if (!in_array('MAY_EDIT', $attributes)) {
return self::ACCESS_ABSTAIN;
}
if (!($object instanceof Project)) {
return self::ACCESS_ABSTAIN;
}
$user = $token->getUser();
$securityContext = $this->container->get('security.context');
return $securityContext->isGranted('IS_AUTHENTICATED_FULLY')
&& $user->getId() == $object->getUser()->getId()
? self::ACCESS_GRANTED
: self::ACCESS_DENIED;
}
}
I register this in configure.yml so that it gets the service container as parameter:
services:
fuxcon2013.security.owner_voter:
class: FUxCon2013\ProjectsBundle\Security\OwnerVoter
public: false
arguments: [ #service_container ]
tags:
- { name: security.voter }
The last block is to configure the access decision manager in security.yml to unanimous:
security:
access_decision_manager:
# strategy can be: affirmative, unanimous or consensus
strategy: unanimous
allow_if_all_abstain: true
Please have a look at this answer i have written yesterday.
You can easily adapt it to your needs by checking for the owner of your object.
The current object doesn't get passed in the voter if you use the role security handler.
I had to extend the latter to get the former.
Don't hesitate to comment for details.

Resources