hooking into events and checking an ACL

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

hooking into events and checking an ACL

Simon Walter
Hi all,

I noticed that the HTTP response codes I get back are not the same as
when running the stack via Apache. I noticed also a few other strange
things such as content when I expected no content.

It then lead me to inspect packets. What I found was that my protected
areas were indeed accessible.

The fault lies in the way I was redirecting users to the login page. I
had followed this tutorial:
http://p0l0.binware.org/index.php/2012/02/18/zend-framework-2-authentication-acl-using-eventmanager/

I just want to caution others who may have done so and have copied this
buggy code. I've left a comment on the page as well:
http://p0l0.binware.org/index.php/2012/02/18/zend-framework-2-authentication-acl-using-eventmanager/#comment-91368

Looking at Slavey's book, I see that much of what Marco has done in his
tutorial is over engineered.

I will chance a n00b guess that because the controller and action are
not reset to something else, the original route is still followed even
though a 302 is sent with a new location.

I will refrain from drawing any more n00b conclusions and ask what you
all think.

Kind regards,

Simon

--
List: [hidden email]
Info: http://framework.zend.com/archives
Unsubscribe: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: hooking into events and checking an ACL

David Mintz-3
I too am a relative n00b but I don't think that's the only problem with
this tutorial. For one thing, it's dated. You don't need to implement your
own Identity plugin because ZF2 already provides:
http://zf2.readthedocs.org/en/latest/modules/zend.mvc.plugins.html#zend-mvc-controller-plugins-identity.


As to Slavey's book: it's really good (
https://www.amazon.com/review/R38Z5NJEX0UP0R/ref=cm_cr_rdp_perm?ie=UTF8&ASIN=1492372218).
I also like http://www.masterzendframework.com/ and
https://samsonasik.wordpress.com/

On Wed, Feb 24, 2016 at 1:21 AM, Simon Walter <[hidden email]> wrote:

> Hi all,
>
> I noticed that the HTTP response codes I get back are not the same as when
> running the stack via Apache. I noticed also a few other strange things
> such as content when I expected no content.
>
> It then lead me to inspect packets. What I found was that my protected
> areas were indeed accessible.
>
> The fault lies in the way I was redirecting users to the login page. I had
> followed this tutorial:
>
> http://p0l0.binware.org/index.php/2012/02/18/zend-framework-2-authentication-acl-using-eventmanager/
>
> I just want to caution others who may have done so and have copied this
> buggy code. I've left a comment on the page as well:
>
> http://p0l0.binware.org/index.php/2012/02/18/zend-framework-2-authentication-acl-using-eventmanager/#comment-91368
>
> Looking at Slavey's book, I see that much of what Marco has done in his
> tutorial is over engineered.
>
> I will chance a n00b guess that because the controller and action are not
> reset to something else, the original route is still followed even though a
> 302 is sent with a new location.
>
> I will refrain from drawing any more n00b conclusions and ask what you all
> think.
>
> Kind regards,
>
> Simon
>
> --
> List: [hidden email]
> Info: http://framework.zend.com/archives
> Unsubscribe: [hidden email]
>
>
>


--
David Mintz
http://davidmintz.org/
Human needs before private profit:
http://socialequality.com/
Reply | Threaded
Open this post in threaded view
|

Re: hooking into events and checking an ACL

Stefano Torresi-2
The biggest problem that I can spot at a quick glance is the "exit 1"
inside the event listener.

That's a big no-no, because it nukes the whole application life cycle
abruptly, and needlessly: it's sufficient to return the 403 response from
the listener to short circuit the dispatch event and let the application
complete it gracefully.

Other than that, I can't recommend enough to test your authentication and
authorization modules thoroughly.

Cheers.

Il giorno ven 26 feb 2016 alle ore 16:00 David Mintz <[hidden email]>
ha scritto:

> I too am a relative n00b but I don't think that's the only problem with
> this tutorial. For one thing, it's dated. You don't need to implement your
> own Identity plugin because ZF2 already provides:
>
> http://zf2.readthedocs.org/en/latest/modules/zend.mvc.plugins.html#zend-mvc-controller-plugins-identity
> .
>
>
> As to Slavey's book: it's really good (
>
> https://www.amazon.com/review/R38Z5NJEX0UP0R/ref=cm_cr_rdp_perm?ie=UTF8&ASIN=1492372218
> ).
> I also like http://www.masterzendframework.com/ and
> https://samsonasik.wordpress.com/
>
> On Wed, Feb 24, 2016 at 1:21 AM, Simon Walter <[hidden email]> wrote:
>
> > Hi all,
> >
> > I noticed that the HTTP response codes I get back are not the same as
> when
> > running the stack via Apache. I noticed also a few other strange things
> > such as content when I expected no content.
> >
> > It then lead me to inspect packets. What I found was that my protected
> > areas were indeed accessible.
> >
> > The fault lies in the way I was redirecting users to the login page. I
> had
> > followed this tutorial:
> >
> >
> http://p0l0.binware.org/index.php/2012/02/18/zend-framework-2-authentication-acl-using-eventmanager/
> >
> > I just want to caution others who may have done so and have copied this
> > buggy code. I've left a comment on the page as well:
> >
> >
> http://p0l0.binware.org/index.php/2012/02/18/zend-framework-2-authentication-acl-using-eventmanager/#comment-91368
> >
> > Looking at Slavey's book, I see that much of what Marco has done in his
> > tutorial is over engineered.
> >
> > I will chance a n00b guess that because the controller and action are not
> > reset to something else, the original route is still followed even
> though a
> > 302 is sent with a new location.
> >
> > I will refrain from drawing any more n00b conclusions and ask what you
> all
> > think.
> >
> > Kind regards,
> >
> > Simon
> >
> > --
> > List: [hidden email]
> > Info: http://framework.zend.com/archives
> > Unsubscribe: [hidden email]
> >
> >
> >
>
>
> --
> David Mintz
> http://davidmintz.org/
> Human needs before private profit:
> http://socialequality.com/
>