debug_kit
debug_kit copied to clipboard
cakephp
Authorization fail
When using Cakephp/Authorization plugin, debugkit fail. One solution is to skip authorization in AuthorizationMiddleware (https://github.com/cakephp/authorization/issues/80#issuecomment-575626974) , but it's not a good place to add exceptions.
One way is to check this in DebugKit/Controller but they don't extends a common "AppController" (in plugin) so, there is a lot of "replicated code". Below, an example in the "beforeFilter" method
// In DebugKit.Controller::beforeFilter()
$authorizationService = $this->getRequest()->getAttribute('authorization');
if ($authorizationService instanceof \Authorization\AuthorizationService) {
$service = $authorizationService->skipAuthorization();
}
Do you think we can add this common plugin controller with no risk ?
We could, I am not sure we should though. Having debugkit disable authentication and authorization checks is risky as people often forget to disable debugkit in production. Perhaps we could do this via an opt-in option though?
An opt-in options is like configuring the DebugKit.safeTld or DebugKit.forceEnable i think.
But i'm not sure it's a risk. The Authorization plugins is only disable for the DebugKit request and it's a XHR request. You can't access app url with a DebugKit call.
That could work, I always worry about the person who accidentally leaves debug on in production. As it is cake not the user that gets blamed.
As i said, i'm sure it's not a problem. Disabling Authorization plugin in Debugkit controllers only disable it for Debukit requests, not app requests
I suppose the question is do we expose something that people can use to probe websites with to gain environment data/etc.
If a user has DebugKit enabled, what level of guarantee do we provide?
We documented the need to set DebugKit.ignoreAuthorization to true in the README.md of this repo as well as in the docs for the debug_kit.
Therefore I will close this issue.
