I might have missed something obvious but my security.yml settings appear to be case sensitive which could be a bit of a security leak.
I am running Symfony 1.0.0. This problem was apparently addressed back in June 2006 - http://www.symfony-project.com/trac/ticket/466. However, I seem to be re-experiencing it. For example, I secure the myModule actions using myModule/config/security.yml create: is_secure: on credentials: admin edit: is_secure: on credentials: admin Now here's the twist where this might have gone unnoticed in 90% of cases. My 'create' and 'edit' actions use some control logic to decide which template to load, using the setTemplate() command. Therefore, if I am not authenticated then I can't access //myApp/myModule/create or //myApp/myModule/edit/id/1 but I can access the edit or create actions using any of the following URLs (without authentication): //myApp/myModule/Create //myApp/myModule/cREate //myApp/myModule/Edit/id/1 //myApp/myModule/edIT/id/1 ...etc Normally actions and their associated SUCCESS templates are case sensitive. Therefore, these case-sensitive URLs would normally just fail with an error like "The template "/cREateSuccess.php" does not exist in:" However, because of my setTemplate() control logic the templates are loaded, despite the security.yml rules which, as far as I undertood it, should have restricted the 'create' or 'edit' action all together. I fixed this using the patch to sfAction.class.php illustrated in the original ticket #466: However, I thought I'd better call this to attention in case this an issue for Symfony in general. If this is not a problem isolated to my system/setup I can re-open this ticket. --peterVG -------- Patch to sfAction.class.php (converted ActionName to lowercase before checking for security & credential requirements): public function isSecure() { $actionName = strtolower($this->getActionName()); if (isset($this->security[$actionName]['is_secure'])) { return $this->security[$actionName]['is_secure']; } if (isset($this->security['all']['is_secure'])) { return $this->security['all']['is_secure']; } return false; } /** * Gets credentials the user must have to access this action. * * @return mixed An array or a string describing the credentials the user must have to access this action */ public function getCredential() { $actionName = strtolower($this->getActionName()); if (isset($this->security[$actionName]['credentials'])) { $credentials = $this->security[$actionName]['credentials']; } else if (isset($this->security['all']['credentials'])) { $credentials = $this->security['all']['credentials']; } else { $credentials = null; } return $credentials; } --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
