I need your help to resolve my issue. I'm stuck here from approx 3-4 hours.
I made custom roles and permissions to every user. I have executed the code under component controller class's function afterAction. But if user don't have the access of the clicked action then it should be redirect to error page. When i use redirect function it says Cannot modify header information - headers already sent. I will be highly thankful if anyone can help me out. Here is my code
if (isset(yii::app()->user->id)) {
$controller = yii::app()->controller->id;
$action = yii::app()->controller->action->id;
$noAuthControllerAction = array();
$noAuthControllerAction[] = 'site/index';
$controllerAction = $controller . '/' . $action;
if (!in_array($controllerAction, $noAuthControllerAction)) {
$isAllowed = $this->isAllowed($controller, $action);
if (!$isAllowed) {
$this->redirect(array('site/denied'));
}
}
}
parent::afterAction($action);
Always use accessRules() in your controller for roles and permissions for more information see Yii Documentation for authentication and authorization
In your controller
A basic role-based access control looks like this :
array('allow', // allow authenticated owner users to perform the following actions.
'actions' => array('sales', 'export', 'invoice', 'payment'),
'users' => array('#'),
'roles' => array('owner'),
),
A custom expression role-based access control looks like this : (This is what you need)
array('deny', // deny authenticated owner users to perform the following actions if store is not yet selected.
'actions' => array('sales', 'export', 'invoice', 'payment'),
'users' => array('#'),
'roles' => array('owner'),
'deniedCallback' => function() {
Yii::app()->controller->redirect(array('/store/location'));
},
'expression' => '!Yii::app()->user->isStoreSelected()',
),
'expression' is your rule, and if rule is not met then 'deniedCallback' will redirect you to desired 'controller/action' in this case '/store/location'.
Also don't use
$this->redirect(array('site/denied')) for error handling, instead use
throw new CHttpException(401,'Access denied.');
This is the right way to handle errors in Yii. If you want to customize your error page please refer to Error Handling
afterAction runs after action is rendered. This is the cause of your error.
Use beforeAction event for that. Do you know RBAC? RBAC can help you.
http://www.yiiframework.com/doc/guide/1.1/en/topics.auth#role-based-access-control
You could use accessControl for limit action uses to roles.
Related
I've been banging my head on this trying to find a solution, searching all around for something that would work, but I got no chance.
I have a "dashboard" where users have a list of event they took part in where they can rate/comment the event. I'ts basically a custom comment form for a node that is not displaying on the node page itself. The user click on an icon in their dashboard next to the event they want to comment, they get to the form, fill it and it returns them back to the dashboard. The return is adding parameters with a custom submit function and using the redirect function to make sure the user return to the proper tab in their dashboard.
function custom_form_alter(&$form, &$form_state, $form_id) {
if ($form_id == 'comment_node_event_form') {
$form['#submit'][] = 'customcomment_form_submit';
}
}
function customcomment_form_submit($form, &$form_state) {
if($form['#form_id']=='comment_node_event_form'){
$pos = strpos($_SERVER['HTTP_REFERER'], 'qt-dashboard');
if ($pos !== FALSE) {
$form_state['redirect'] = array(
'dashboard',
array(
'query' => array(
'qt-dashboard' => '2',
'qt-dashboard_event' => '2',
),));
}else{
$form_state['redirect'] = array(
'dashboard',
array(
'query' => array(
'qt-dashboard' => '2',
'qt-dashboard_event' => '1',
),));
}
}
}
This portion is working as it should and expected. The problem is when form validation fails, it send the comment form error message and form to refill to the node page instead of staying where it is.
I found that if I set the #action with the link where my comment form is, it does send the fail to the proper page
$form['#action']='/rating_comment/'.$form['#node']->vid.'?destination=dashboard&qt-dashboard=2&qt-dashboard_event=2';
But, doing so break the redirect when successfully submitting the form and it doesn't take the parameter in the redirect..it basically send the user directly to dashboard and scrapes the parameter. Now there might be a better solution for form validation fail to stay on the same page and that is pretty much what I am looking for.
Thanks
Looks like this form isn’t in your module - and you’re altering the other module.
Now, when the validate function gets invoked at the end you can check for failure and if there is failure cancel processing/redirect etc.
$form_state['no_redirect'] = FALSE:
Also, you can use the error function to check for errors and if so cancel the rest. This goes inside validate method.
if (form_get_errors()) { return FALSE ; }
// .. Otherwise, process validation
Check out the following
https://drupal.stackexchange.com/questions/170815/is-it-possible-to-stop-a-webform-form-during-submission
https://drupal.stackexchange.com/questions/5861/how-to-redirect-to-a-page-after-submitting-a-form
My login form may be called with a re-direct query and I am wondering if there is a simple way to include this in the subsequent post action.
The use case is for SSO login.
My normal login route is:
/customer/login
and when called from a third party client becomes:
/customer/login?redirectTo=http://www.example.com
My login action:
public function loginAction()
{
$prg = $this->prg();
if ($prg instanceof Response) {
return $prg;
} elseif ($prg === false) {
return new ViewModel(['form' => $this->loginForm]);
}
This loads my view and I currently define my action as so:
$form = $this->form;
$form->setAttribute('action', $this->url());
Now when the action is called, I am losing the redirectTo parameter.
So my question is this, is it possible to update the action to include the re-direct url so that when a user clicks to login, it is posted back to my form?
thanks!
EDIT -
Obviously I can create a redirectTo route in the configs and test on the initial call to the page for the existence of such a route and include this in the form. My question however is whether or not this can be done automagically simply from the viewscript.
To generate query string arguments from the view helper, you need to assign them as the third argument using the query key. Please refer to the ZF2 docs http://framework.zend.com/manual/current/en/modules/zend.view.helpers.url.html
$form->setAttribute('action', $this->url('application', array('action' => 'login'), array('query' => array('redirectTo' => 'http://www.example.com,))));
$form->setAttribute('action', $this->url('login', [
'query' => [
'redirectTo' => $this->params()->fromQuery('redirectTo')
]
]);
Where 'login' is the name of the login route.
See Url View Helper
Well my solution is not as elegant as I hoped it would be. I wanted to avoid using the controller for the query params. As #Stanimir pointed out, the view helpers are in fact, to help with view so my original idea was unfounded.
This is an end to end of what I have put together:
Controller:
$redirect_url = $this->params()->fromQuery('redirectTo',null);
Returns this to view on initial load:
return new ViewModel( ['form' => $this->loginForm , 'redirect_url' => $redirect_url] );
View
$form->setAttribute(
'action',
$this->url(
'customer/login', [] ,
[ 'query'=>
[ 'redirectTo' => $this->redirect_url ]
]
)
);
I have created a FB App that grants the following permissions from the user:
1. manage_pages
2. read_insights
By using the app, the user can create a new tab on a page and delete it when this is necessary.
Apart from that, I want to give the option to the user to see some basic stats regarding the page(s) that she creates the tab(s).
For example, I want to retrieve the page views for a certain page for a specific period.
In order to do this I used the following code:
$today = date("Y-m-d");
$until = strtotime($today);
$since = strtotime("2013-08-01");
$pageID = "123";
$page_info = $facebook->api("/$pageID?fields=access_token");
$access_token = $page_info['access_token'];
$params = array(
'access_token' => $access_token,
'since' => $since,
'until' => $until,
);
$insights = $facebook->api("/{$pageID}/insights/page_views/",
"GET",
$params
);
print_r($insights);
The problem is that the result is...somehow empty. More precisely, I receive the following:
Array
(
[data] => Array
(
)
[paging] => Array
(
[previous]=>https://graph.facebook.com/123/insights/page_views/since=1370059200&until=1375329600
[next]=>https://graph.facebook.com/123/insights/page_views/since=1380600000&until=1385870400
)
)
When I use, the same logic to receive insights for my app (without using $token in the $params array), I receive the right data.
In addition to that, I was wondering if there is a way to create charts with this data (directly from FB).
Thx,
Antonis
I managed to solve the problem.
The returning array was empty, because I forgot to check if the user is logged in through facebook...
Regarding the charts, I didn't find any solution directly from facebook, so I used the Charts.js plugin.
I have the "Pages" controller with the "show" method and "Auths" controller with the "check" method which returns 1 if user is authenticated.
I have "default" page ("/profile").
I need to redirect to / if the user is authenticated and redirect all pages to / with the authorization form if the user is not authenticated. My code does not want to work properly (auth based on the FastNotes example application): (
auths#create_form - html-template with the authorization form.
$r->route('/') ->to('auths#create_form') ->name('auths_create_form');
$r->route('/login') ->to('auths#create') ->name('auths_create');
$r->route('/logout') ->to('auths#delete') ->name('auths_delete');
$r->route('/signup') ->via('get') ->to('users#create_form') ->name('users_create_form');
$r->route('/signup') ->via('post') ->to('users#create') ->name('users_create');
#$r->route('/profile') ->via('get') ->to('pages#show', id => 'profile') ->name('pages_profile');
my $rn = $r->bridge('/')->to('auths#check');
$rn->route ->to('pages#show', id => 'profile') ->name('pages_profile');
$rn->route('/core/:controller/:action/:id')
->to(controller => 'pages',
action => 'show',
id => 'profile')
->name('pages_profile');
# Route to the default page controller
$r->route('/(*id)')->to('pages#show')->name('pages_show');
It seems you want / to render either a login form OR a profile page. The code above will always show / as login because it hits that route condition first and will never care if you're authenticated or not.
Try a switch in your initial route for / (your default route after the bridge is unnecessary).
my $r = $self->routes;
$r->get('/' => sub {
my $self = shift;
# Check whatever you set during authentication
my $template = $self->session('user') ? '/profile' : '/login';
$self->render( template => $template );
});
A couple of notes on your example:
Its much easier to help debug issues if you use Mojolicious::Lite for examples.
Try using under instead of bridge.
Try using $r->get(..) instead of $r->route(..)->via(..)
Hope this helps.
What is the best way of creating functional tests to test forms with CSRF protection enabled in Symfony?
Currently I have to add the following code before each form submittion:
$form = new sfGuardFormSignin();
$token = $form->getCSRFToken();
$token_name = $form->getCSRFFieldName();
Then I add the $token and $token_name to form parameters like this:
call('/login', 'POST', array (
'signin' =>
array (
'username' => $username,
'password' => $password,
$token_name => $token,
)))
The option suggested in the documentation:
'_with_csrf' => true,
Doesn't work at all.
Is there more simple way to avoid adding token to each form tested manually? Or is there a way to turn off csrf checking when running tests?
The way I've described above is ok when you have to test 1-2 forms but if project contains tens unique forms it becomes a pain.
Of course, you can't use _with_csrf option if you call directly the url.
You must pass from the form page, clicking on the submit button.
Like so:
click('signin', array('signin' => array('username' => $username, 'password' => $password), array('_with_csrf' => true)))
The string 'signin' must be adapted to your form. You can also use a more label-independent string, like 'form#myform input[type="submit"]' instead of 'signin', adapting the id of your form.
As already suggested, you can disapble CSRF for login, it's really useful for forms that modifies data.
I personally don't use functional tests that extensively (probably to my own detriment), but you could always switch the CSRF protection off in your form class for testing purposes.
public function configure ()
$this->disableLocalCSRFProtection();
You can disable csrf protection for all forms just by adding additional compiler pass:
class CsrfProtectionCompilerPass implements CompilerPassInterface
{
/**
* {#inheritdoc}
*/
public function process(ContainerBuilder $container)
{
$env = $container->getParameter('kernel.environment');
if ($env == 'test') {
$container->setParameter('form.type_extension.csrf.enabled', false);
}
}
}
Or You can disable form extension completely by adding to config:
framework:
csrf_protection: false
btw, last solutions works only if You don't have explicitly set form option csrf_protection
I would turn off CSRF for testing environment.
You should get a CSRF token by showing the page including the form.
$browser->get('/login');
$dom = new DOMDocument('1.0', $browser->getResponse()->getCharset());
$dom->loadHTML($browser->getResponse()->getContent());
$domCssSelector = new sfDomCssSelector($dom);
$token = $domCssSelector->matchSingle('input[name="_csrf_token"]')->getNode()->getAttribute('value');