Development

#4051 ([PATCH] security.yml in modules not working properly)

You must first sign up to be able to contribute.

Ticket #4051 (closed defect: invalid)

Opened 6 months ago

Last modified 1 month ago

[PATCH] security.yml in modules not working properly

Reported by: a.alexandrov Assigned to: fabien
Priority: major Milestone:
Component: configuration Version: 1.1.4
Keywords: security plugin module Cc:
Qualification: Ready for core team

Description

It seems to me that there are two problems associated with the security.yml configuration.

First, one cannot override a plugin module security.yml file in the application module (as, for instance, is possible to do with other module-specific files like the templates). As example I consider the following situation: i develop an application when login is required for almost all actions. Therefore i set my application security to true (is_secure: on) in the myapp/config/security.yml file. In addition, I extend the sfGuardAuth module from the sfGuardPlugin with a registration action. Now, as I have globally secured all actions, I want to be able to enable sfGuardAuth/register from the module specific security.yml. I create myapp/modules/sfGuardAuth/config/security.yml which contains: 

register:
  is_secure: off

It seems to me that the sfSecurityConfigHandler doesn't process the overridden security.yml, but continues to work only with the one inside the plugins/.../sfGuardAuth/config directory.

The second problem is, that if I try to change directly the plugin security.yml and override the global is_secure: on setting for all module actions, it doesn't work. Putting 

all:
  is_secure.yml

inside plugins/.../sfGuardAuth/config/security.yml has no effect in the compiled modules_sfGuardAuth_config_security.yml.php file.

Attachments

sfAction.class.php.diff (0.8 kB) - added by daum on 10/14/08 04:13:01.

Change History

10/14/08 04:13:01 changed by daum

  • attachment sfAction.class.php.diff added.

10/14/08 04:13:36 changed by daum

  • status changed from new to closed.
  • version changed from 1.0.17 to 1.1.4.
  • resolution set to fixed.
  • qualification changed from Unreviewed to Ready for core team.
  • summary changed from security.yml in modules not working properly to [PATCH] security.yml in modules not working properly.

I have found out why this is occuring. In the checking of if a module is secure in sfActions.class.php it was checking first to see if the current module is defined explicitly as "secure". If it isn't, then it checked if the global is suppose to be defined to true. If both of these were false, then it returned false. The fix was to make it so that it also checks to see if the module name is explicitly set to false.

I also updated the isSecure method to have proper spacing according to the coding standards.

Daum

10/16/08 04:52:29 changed by daum

  • status changed from closed to reopened.
  • resolution deleted.

Reopening, didn't mean to close only meant to add patch

10/20/08 14:07:27 changed by daum

  • milestone set to 1.2.0.

11/18/08 00:52:14 changed by fabien

  • status changed from reopened to closed.
  • resolution set to invalid.
  • milestone deleted.

I don't understand how your patch can fix anything as the condition you have added is already taken care by the first if: 

    if (isset($this->security[$actionName]['is_secure']))
    {
      return $this->security[$actionName]['is_secure'];
    }

Feel free to reopen with more explanation.

11/24/08 17:52:05 changed by daum

I have to agree with you on this, it seems that everything is working. Not sure how I came up with the solution...thanks for reviewing this.