OroCommerce Forums

Covering OroCommerce topics, including community updates and company announcements.

Forums OroCommerce Orocommerce 319: ShoppingListController > login redirect question

This topic contains 11 replies, has 2 voices, and was last updated by  Frank 2 weeks, 2 days ago.

  • Creator
    Topic
  • #40305

    Frank
    Participant

    Hi there,

    may be it’s a very simple question, but I am still learning …
    :-)

    Calling some of my guest-shoppingLists via URL like:
    /oroapp.test/index_dev.php/customer/shoppinglist/48

    shows the shoppingList correct.
    https://snipboard.io/lEfMdH.jpg

    But calling some other shoppinglist with some other properties:
    /oroapp.test/index_dev.php/customer/shoppinglist/47

    It REDIRECTS TO LOGIN-PAGE:
    https://snipboard.io/G6UWqp.jpg

    Obviously, this is caused by a MALFORMED shoppingList-object (id=47), which is passed to /MyShoppingListBundle/Controller/ShoppingListController::viewAction(ShoppingList $shoppingList=null).

    But I am NOT ABLE TO DEBUG it:
    Trying to dump the pasted in ‘$shoppingList-Object’ is not successful, orocommerce redirects me immediately before dumping is executed.
    In my understanding there should be some eventlistener, which checkes the $shoppingList-object BEFORE it is pasted in viewAction, and executes a REDIRECT if something is not conform/permissions are not allowed.

    Which steps (e.g. eventlisteners called) exist in orocommerce 3.1.9. between Url Request (providing shoppingList-id only) and pasting in viewAction whole shoppingList-object?

    Thanks a lot for urgent help
    Frank

    PS: Forum-editor is not working correctly (no toolbar available).

Viewing 11 replies - 1 through 11 (of 11 total)
  • Author
    Replies
  • #40306

    Frank
    Participant

    passed in , not pasted in … sorry for my strange english. Thanks. Frank

    #40307
    Andrey Yatsenko
    Andrey Yatsenko
    Moderator

    Hi Frank,

    A URL redirect is done before the controller, that’s why your dump hasn’t worked as expected.

    You can profile the redirected page with the Symfony Profiler or xDebug to see which listener triggered the redirect. But it looks like the issue is with the security listener.

    Probably, the shopping list object is linked to the user and is not considered as anonymous anymore OR this shopping list belongs to another guest user. The main idea is that users can access only their own shopping lists, that’s why you were redirected.

    #40308

    Frank
    Participant

    Hi Andrey,

    thanks for very fast reply!

    >> But it looks like the issue is with the security listener.
    Yes, I am sure it is.

    >> You can profile the redirected page with the Symfony Profiler or xDebug to see which listener triggered the redirect.
    Symfony profiler (web debug toolbar) does not work after redirect unfortunately.
    With xDebug I have low experience yet.

    >> Probably, the shopping list object is linked to the user and is not considered as anonymous anymore OR this shopping list belongs to another guest user. The main idea is that users can access only their own shopping lists, that’s why you were redirected.
    Yes, something like that seems to be the case, indeed. Hope I can find it out without xDebug ..?!

    Regards from Germany
    Frank

    #40309
    Andrey Yatsenko
    Andrey Yatsenko
    Moderator

    Actually, the symfony profiler works with the redirects, but it’s a bit tricky to find the original page.

    • go to the shopping list page and wait till the redirect to the login page
    • at the login page click on a symfony profiler at the status code “200”, it opens the profiler page
    • at the left sidebar click “last 10”
    • at the list find the request with 302 that leads to the shopping list and click on a Token link

    This is it! You are on a profile page for the “302” redirect from the shopping list page.
    Now on the “Request Attributes” section, you can find the shopping list object itself. Also, on the “Security” tab, “Access decision log” you can see the permission that was denied the access.

    See the attached screenshots

    Attachments:
    #40325

    Frank
    Participant

    Hi Andrey,

    I got Symfony’s profiler/web debug toolbar working, finally.

    REQUEST:
    https://snipboard.io/iAjSNe.jpg
    https://snipboard.io/f6u2ab.jpg (2)
    https://snipboard.io/sZTLhn.jpg (1a-expanded)
    https://snipboard.io/95BCTM.jpg (1b-expanded)

    RESPONSE:
    https://snipboard.io/r3yugE.jpg

    COOKIE:
    https://snipboard.io/G7nuCj.jpg

    SESSION:
    https://snipboard.io/YSmCWt.jpg

    EVENTS:
    https://snipboard.io/7T6tf8.jpg
    https://snipboard.io/wztDsB.jpg (2)
    https://snipboard.io/Zzqylj.jpg (3)
    https://snipboard.io/7RsK5O.jpg (4)

    SECURITY:
    https://snipboard.io/58Vki0.jpg
    https://snipboard.io/sKG7Dh.jpg (2)
    https://snipboard.io/UwDfx5.jpg (3)
    https://snipboard.io/KsGeZ9.jpg (4)
    https://snipboard.io/R9i8et.jpg (5)

    ROUTING:
    https://snipboard.io/glxAVR.jpg

    I expected some trace-route, helpful for identifying the listener, which triggers the redirect. However I can’t localize it …

    May be you have a suggestion, if it is not too much work for you.

    Thanks a lot.

    Kind regards
    Frank

    PS:
    I know, at the end it cames out, that I have given my custom shoppingList-property ‘buOwner’ some additional attribute in the background, which security do not like at all …

    Interestingly, the problem appears only in guest-modus. If user has been looged in, all is fine.

    #40328
    Andrey Yatsenko
    Andrey Yatsenko
    Moderator

    Check the last voter from https://snipboard.io/R9i8et.jpg screen. as view permission was denied for the shopping list. If it’s not the right one, I don’t see anything else helpful here, and it’s time to learn xdebug.

    #40331

    Frank
    Participant

    Hi Andrey,

    after hours, and hours, and a short night I found out:

    Responsible for denying the ShoppingList-VIEW permission is the:
    “Oro\Bundle\SecurityBundle\Acl\Voter\AclVoter”

    $field === null (ShoppingList-object IS NOT an $object instanceof FieldVote), so it results in:

    $acl->isGranted($masks, $sids, false) > false (my malformed custom ShoppingList-object)
    $acl->isGranted($masks, $sids, false) > true (oro ShoppingList-object)

    Now, I am looking for a way to find out what is the reason for the isGranted() method to assign false, or true.
    Unfortunately, I do not know how to debug this method, which is an AclInterface.

    If you could give me a short hint, would be great!

    Kind regards
    Frank

    PS: I still do not have any idea, why its working for a logged in customer, bit for guest-visitor not?

    #40333
    Andrey Yatsenko
    Andrey Yatsenko
    Moderator

    You can check the service definition for the AclVoter to find the service that implements an interface.

    #40335

    Frank
    Participant

    Ok, here comes the service definition for the AclVoter;

    I have checked all classes responding to mentioned services. None of them implements AclInterface. None of them generates different outputs for correct, and malformed shoppingList.

    Hm. No idea how to get foward …

    Kind regrads
    Frank

    #40343

    Frank
    Participant

    What I found out, meanwhile:

    function isGranted() above, is set in PermissionGrantingStrategyInterface:

    PermissionGrantingStrategyInterface is impented by:
    a) vendor/oro/customer-portal/src/Oro/Bundle/CustomerBundle/Acl/Domain/PermissionGrantingStrategy.php
    b) vendor/oro/platform/src/Oro/Bundle/SecurityBundle/Acl/Domain/PermissionGrantingStrategy.php

    Both of them are using PermissionGrantingStrategyInterface from above. For illustration I display code of customerBundle a):

    So, it seems circulized …?!

    How can I get access to the information, how the permissionGranting for the shoppingList-object process takes place: what is analyzed to return true or false?

    In other words:
    WHY:
    Oro\Bundle\SecurityBundle\Acl\Domain\RootBasedAclWrapper::
    isGranted(array $masks, array $securityIdentities, $administrativeMode = false)
    returns false for malformed custom shoppingList-object?

    Thanks a lot for a hint to push me forward!!!!
    Frank

    #40351

    Frank
    Participant

    Heureka! I got it.

    Thanks to xdebug, it was not very complicated to find out, what was the cause for non-granting guests access to my customized shoppinglists.

    Class
    OroSecurityBundle/Acl/Extension/AbstractAccessLevelAclExtension.php
    was responsible.

    I have to modify/override this class marginal, and thats it.

    Thank you, Andrey for advice.
    Frank

Viewing 11 replies - 1 through 11 (of 11 total)

You must be logged in to reply to this topic.

You will be redirected to [title]. Would you like to continue?

Yes No