search

aimeos / aimeos-flow

Flow / NeosCMS e-commerce package for professional, ultra fast online shops and complex B2B applications
https://aimeos.org/Flow
GNU Lesser General Public License v3.0
29 stars 9 forks source link

Secured Shop Admin Backend in Neos Documentation? #16

Open lsascha opened 7 years ago

lsascha commented 7 years ago

Hello, first thank you for making it compatible with Neos 3.0 so quickly. :)

One thing however i noticed is that the Admin Backend is not secured by default, so we have to use the Framework way to do this.

I got that working too now, Only one small thing i noticed is that the Simple Mode does not send the csrf_token for the graphs. so i think thats the reason i only see the spinners in the Dashboard and the XHR Request shows You are not allowed to perform this action. in the browser debugger though i allowed the Jsonadm Controller.

So far everything i tried from the Expert Mode works, and i saw the csrf_token send there. So the Expert Mode works.

Also Unfortunately its nowhere really documented how to configure how to secure the Shop Admin Backend for Neos. Maybe that could be documented?

My Configuration for it is the following (not sure if thats the correct NamePattern of the controllers. Will have to check if the Controller accessible to everybody has any action that users should not be able to execute):

Settings.yaml

Neos:
  Flow:
    security:
      authentication:
        providers:
          'Neos.Neos:Backend':
            requestPatterns:
              'MyShop:AdminControllers':
                pattern: 'ControllerObjectName'
                patternOptions:
                  controllerObjectNamePattern: 'Aimeos\Shop\Controller\(Admin|Extadm|Jsonadm|Jqadm).*'

Policy.yaml

privilegeTargets:
  Neos\Flow\Security\Authorization\Privilege\Method\MethodPrivilege:
    'MyShop:AllActions':
      matcher: 'method(Aimeos\Shop\Controller\(Catalog|Locale|Account|Basket|Checkout|Page|Jsonapi)Controller->(.*)Action())'

    'MyShop:AdminActions':
      matcher: 'method(Aimeos\Shop\Controller\(Admin|Extadm|Jsonadm|Jqadm)Controller->(.*)Action())'

roles:
  'Aimeos.Shop:ShopAdmin':
    privileges:
      -
        privilegeTarget: 'MyShop:AllActions'
        permission: GRANT
      -
        privilegeTarget: 'MyShop:AdminActions'
        permission: GRANT

  'Neos.Flow:Everybody':
    privileges:
      -
        privilegeTarget: 'MyShop:AllActions'
        permission: GRANT

Sorry for the long text, and thanks for that nice shop system. ;)

aimeos commented 7 years ago

Thanks for posting your configuration! :-)

The XHR requests made to the JSON admin API by the JQAdm interface are all GET requests. CSRF tokens are only useful for HTTP verbs like DELETE, PATCH, POST and PUT. If you can adapt your configuration this way, we will update our documentation.

lsascha commented 7 years ago

Hi, No problem.

The JQAdm Interface itself works, only the Graphs in the Dashboard do not show up.

And according to my Browser debugger this is an OPTIONS request. aimeos-jqadm

aimeos commented 7 years ago

You are right, first an OPTIONS then a GET request. OPTIONS requests are also non-modifying, so a CSRF token shouldn't be added there too.

aimeos commented 7 years ago

@lsascha Did you find out how to configure Flow to allow OPTIONS requests without CSRF token?

lsascha commented 7 years ago

Sorry for the late reply. No i haven't yet found a solution for it and haven't found something in the documentation for it yet. :/

aimeos commented 7 years ago

Did you ask in the Neos forum if somebody knows an answer?