Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hotfix: isGranted for failed routing #1

Merged
merged 4 commits into from
Jan 24, 2020
Merged

Hotfix: isGranted for failed routing #1

merged 4 commits into from
Jan 24, 2020

Conversation

michalbundyra
Copy link
Member

@michalbundyra michalbundyra commented Jan 22, 2020
edited
Loading

Q A
Bugfix yes
BC Break no

Description

We have RouteResult in the request attributes but routing failed so getMatchedRouteName will return false.

In that case everyone can access non-existing resource, so the result of isGranted should be true.

I hit the error with my application when navigating to non-existing page. I got exception instead of proper 404 page. My pipeline is as follows:

    $app->pipe(ErrorHandler::class);
    $app->pipe(ServerUrlMiddleware::class);

    $app->pipe(AuthenticationMiddleware::class);

    $app->pipe(SessionMiddleware::class);
    $app->pipe(CsrfMiddleware::class);

    $app->pipe(RouteMiddleware::class);

    $app->pipe(ImplicitHeadMiddleware::class);
    $app->pipe(ImplicitOptionsMiddleware::class);
    $app->pipe(MethodNotAllowedMiddleware::class);

    $app->pipe(UrlHelperMiddleware::class);

    $app->pipe(AuthorizationMiddleware::class);

    $app->pipe(DispatchMiddleware::class);

    $app->pipe(NotFoundHandler::class);

@michalbundyra michalbundyra added the Bug Something isn't working label Jan 22, 2020
@michalbundyra
Copy link
Member Author

The problem here is that even if we are going to return false on isGranted as the result we are gonna get 403 response instead of 404, see:
https://github.com/mezzio/mezzio-authorization/blob/master/src/AuthorizationMiddleware.php#L44-L57

Maybe it should be fixed somehow in mezzio/mezzio-authorization then?

@michalbundyra
Copy link
Member Author

The same issue we will have also in ACL implementation:
https://github.com/mezzio/mezzio-authorization-acl/blob/master/src/LaminasAcl.php#L49

false value is not allowed in
https://github.com/laminas/laminas-permissions-acl/blob/master/src/Acl.php#L712-L717
(2nd parameter).

When routing failed RouteResult::getMatchedRouteName() returns false, see:
https://github.com/mezzio/mezzio-router/blob/master/src/RouteResult.php#L141-L145

@samsonasik
Copy link
Member

I got 500 as well for ACL

@weierophinney
Copy link
Contributor

I'm a bit confused by the test results. They indicate a TypeError thrown because isGranted() returned null instead of a boolean. Did you mock it correctly?

@michalbundyra
Test for isGranted when routing failed
f47d0b2 
We have RouteResult in the request attributes but routing failed
so `getMatchedRouteName` will return `false`.

In that case everyone can access non-existing resource, so the result
of `isGranted` should be `true`.
@michalbundyra
No mocking of RouteResult
c8e0dc8 
More reliable results we can get if we create proper instance of
RouteResult. This class has two states - when matched routing is found
and when routing is failed. It is hard to properly mock internal state
of the object with all public methods. THat's why it's easier to use
static method to create the object with desired state.
@michalbundyra
Update adapter to fix failing test - no matching route - everyone can…
163a0c7 
… access

If there is no matching route in RouteResult we return true, as the
permission is granted. It read that everyone can access non-existing
resource.

AuthorizationMiddleware will then just pass this request to the next
middleware and as the result we will get 404.
@michalbundyra michalbundyra changed the title Test for isGranted when routing failed Hotfix: isGranted for failed routing Jan 23, 2020
@michalbundyra michalbundyra mentioned this pull request Jan 23, 2020
Merged
@michalbundyra
Copy link
Member Author

@weierophinney PR is now updated with the fix as we discussed - adapter returns true from isGranted when there is no matched routing. With this solution we can keep original middleware unchanged and without mezzio-router dependency, so it can implement any custom adapter.

The same hotfix I've provided for acl adapter: mezzio/mezzio-authorization-acl#1

weierophinney
weierophinney approved these changes Jan 24, 2020
View reviewed changes
Copy link
Contributor

@weierophinney weierophinney left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes sense for me. Since these adapters are route-based, they cannot examine anything that is a routing failure, and that case will more than likely mean a 404 scenario.

If users want to do differently (e.g., return a 403 for routing failures), they can decorate the AuthorizationMiddleware to do so.

michalbundyra added a commit that referenced this pull request Jan 24, 2020
@michalbundyra
Merge pull request #1 from michalbundyra/failed-routing-is-granted
8ff1655 
Hotfix: isGranted for failed routing
michalbundyra added a commit that referenced this pull request Jan 24, 2020
@michalbundyra
Adds CHANGELOG entry for #1
0d3c3c1
michalbundyra added a commit that referenced this pull request Jan 24, 2020
@michalbundyra
Merge branch 'hotfix/1' into develop
5338f3a 
Forward port #1
@michalbundyra michalbundyra merged commit cf25e0f into mezzio:master Jan 24, 2020
@michalbundyra michalbundyra deleted the failed-routing-is-granted branch January 24, 2020 20:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@weierophinney weierophinney weierophinney approved these changes

Assignees
No one assigned
Labels
Bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@michalbundyra @samsonasik @weierophinney