eZ Community » Forums » eZ Publish 5 Platform » Thoughts on access_control and...
expandshrink

Thoughts on access_control and siteaccess

Thoughts on access_control and siteaccess

Tuesday 19 August 2014 5:15:47 pm

I have read and found different ways in the forum to handle RequireUserLogin.
I am hoping to establish the "proper" way of doing this.
One method involves creating a request listener that looks at the authentication token and redirect to login if it is anonymous.  This can be error prone as the listener is not aware of routes that should be exempt.  This also is very similar to reimplementing Symfony's built in access_control.

The other is to use Symfony native access_control. I believe using the native access_control would be the correct way to go, but the RequestMatcher is not siteaccess aware so you end up having to define a matcher for each siteaccess. For example:

     access_control:
        - { path: ^/_internal/secure, roles: IS_AUTHENTICATED_ANONYMOUSLY, ip: 127.0.0.1 }
        - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
        - { path: ^/eng/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
        - { path: ^/fre/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }

I have also found that using access_control can cause issues with legacy_mode sites as it can cause login to be needed and redirect to /login instead of the legacy /user/login.

I'm thinking creating a siteaccess aware matcher would be the better route, but this would not solve supporting the legacy site(maybe it could by by checking if the siteaccess is legacy_mode though I do not believe that is stored in the siteaccess). 

What are your ideas on how to handle this correctly?

Modified on Tuesday 19 August 2014 5:32:11 pm by Douglas Hammond

No reply yet!

expandshrink

You must be logged in to post messages in this topic!

36 542 Users on board!

Forums menu

Proudly Developed with from