docs icon indicating copy to clipboard operation
docs copied to clipboard

Published 20 hours ago verified publisher icon contao

Explain the security components

Open Toflar opened this issue 5 years ago • 13 comments

As we have additional helper services such as the TokenChecker, I think we should have a chapter about when to use which service to fetch the front end member or back end user, to check if the FE preview is enabled etc.

Toflar avatar Aug 23 '19 14:08 Toflar

I have added a Services reference article in 89850ddf99b15d23df2790c15f87951e0da54525, which includes the TokenChecker service, as well as the security.helper service from Symfony. The descriptions are rather minimal at the moment. If the security components require their own fully fledged article, we can still add one under Framework, in addition to the reference.

fritzmg avatar Sep 29 '19 15:09 fritzmg

$tokenChecker->isPreviewMode() method, described there, only returns true if you in preview mode AND have "show unpublished" enabled. So you can't rely upon it if you just want to check whether you are in preview mode.

ameotoko avatar Jun 21 '20 15:06 ameotoko

The method isn't really described in 89850dd (if that is what you mean). It is just mentioned, that it is available. The description within the code says the following:

Tells whether the front end preview can show unpublished fragments.

fritzmg avatar Jun 21 '20 20:06 fritzmg

Tells whether the front end preview can show unpublished fragments.

Yes, but 89850dd and Toflar's post give an impression that this is the method used to check whether or not we are in FE preview mode - which is not correct.

ameotoko avatar Jun 21 '20 20:06 ameotoko

/cc @aschempp

Toflar avatar Jun 22 '20 07:06 Toflar

There might be a confusion. Preview mode historically means being logged in to the back end and enabling show unpublished. It is not a representation whether one is visiting the front end through preview.php.

Regarding the services:

  • ScopeMatcher is related to routing, it tells which scope the current route is on. Because firewalls listen to scopes, it (most likely) also tells which firewall is active. But it does not tell about authentication and authorization.
  • TokenChecker can perform some checks on the firewall token, event if the requested firewall might not be active (e.g. check the back end firewall in the front end). It only checks authentication (user is logged in) but not authorization (what permissions are available).
  • SecurityHelper handles authentication (getUser) and authorization (isGranted) on the current firewall.

There is no way to check authorizations across firewalls, e.g. check if a back end user is allowed to access tl_page from the front end.

aschempp avatar Jun 22 '20 08:06 aschempp

I want to make it clear - I don't have any questions regarding the method itself (although its name is a bit misleading). This is only about the docs. The docs say there's a service to check whether the token for the preview mode is present, which is not exactly what that service does.

ameotoko avatar Jun 22 '20 12:06 ameotoko

@ameotoko That's what @aschempp is saying. The preview mode is not the same as the preview script. And the front end preview token is only available, if you enabled show unpublished. If you are using the default preview.php, but without having show unpublished enabled, the FrontendPreviewToken will not be present.

fritzmg avatar Jun 22 '20 13:06 fritzmg

Well, I just tested it, and it's not true. https://github.com/contao/core-bundle/blob/master/src/Security/Authentication/Token/TokenChecker.php#L142

        return $token instanceof FrontendPreviewToken && $token->showUnpublished();

$token is an instance of FrontendPreviewToken every time you access FE through preview.php, regardless of show unpublished setting.

ameotoko avatar Jun 22 '20 13:06 ameotoko

Interesting, in my case it was alway null. Anyways, we can change the wording:

-It allows you to check, whether a token for a front end user, back end user or the preview mode is present.
+It allows you to check whether a token for a front end user or back end user is present or whether the preview mode is enabled within the front end preview token.

Btw. you can quickly make pull requests yourself by clicking on the edit this page link in the top right corner of the docs ;)

fritzmg avatar Jun 22 '20 13:06 fritzmg

So, the Preview mode is meant to be this show unpublished setting? I always thought Preview mode is the mode accessed through preview.php, which can do two independent things:

  • preview unpublished changes
  • impersonate frontend user

Btw. you can quickly make pull requests yourself simply by clicking on the edit this page link in the top right corner of the docs ;)

If I knew this thread will grow so long, I would just do a PR instead :)

ameotoko avatar Jun 22 '20 14:06 ameotoko

So, the Preview mode is meant to be this show unpublished setting?

Yes, see aschempp's comment:

Preview mode historically means being logged in to the back end and enabling show unpublished.

--

I always thought Preview mode is the mode accessed through preview.php, which can do two independent things:

The FrontendPreviewToken can impersonate back end users, which is used by the BackendPreviewController (/contao/preview route), which enforces that it is accessed through the configured preview entry point.

fritzmg avatar Jun 22 '20 14:06 fritzmg

The FrontendPreviewToken is set if you click on the "show in frontend" link in the backend. If you manually enter the preview.php url, the token will not be set. (as far as I know)

aschempp avatar Oct 09 '20 16:10 aschempp