#671: Security filters cannot perform checks in addition to isSecure()
------------------------+---------------------------------------------------
Reporter: david | Owner: david
Type: defect | Status: new
Priority: high | Milestone: 1.0
Component: controller | Version: HEAD
Severity: major | Keywords:
Has_patch: 0 |
------------------------+---------------------------------------------------
Let's assume we want to build a web shop. Say we want to call it Amazon,
and say we want to detect returning users with a cookie, and then show
them suggestions. Let's also assume that these known users have access to
areas like their personal front page, without having to actually log in
with user and password. And let's say we want all this handled using
Agavi's security infrastructure, too, i.e. if an action returns true from,
say, an {{{isPrivate()}}} method, then it's only available to known or
authenticated users.
The thing is... right now, the {{{isSecure()}}} check is done in the
execution container. If an Action is not secure, the security filter is
not added to the chain. This is clearly a problem because it means that
the authentication concept of Agavi cannot be changed without overwriting
the (big) {{{AgaviExecutionContainer::execute()}}}. If
{{{core.use_security}}} is on, the security filter should always be run,
and the {{{isSecure()}}} check should be made in that filter.
This fix can cause a change in behavior if someone has a custom security
filter, so we need to document it in the release notes and the upgrading
guide, as we promised to have breaks only in case of fixes.
--
Ticket URL: <http://trac.agavi.org/ticket/671>
Agavi <http://www.agavi.org/>
An MVC Framework for PHP5
_______________________________________________
Agavi Tickets Mailing List
[email protected]
http://lists.agavi.org/mailman/listinfo/tickets
