search

getkirby / kirby

Kirby's core application folder
https://getkirby.com
Other
1.32k stars 168 forks source link

Unauthenticated field after upgrade #5465

Closed plain-solutions-gmbh closed 1 year ago

plain-solutions-gmbh commented 1 year ago

Description

After upgrading form 4.0.0-alpha.5 -> 4.0.0-alpha.6. I receving an unauthenticated error in every field of the panel:

Expected behavior
Login page should appear if unauthenticated.

Screenshots

Bildschirmfoto 2023-08-07 um 15 35 20

To reproduce

  1. Install Kirby v4.0.0-alpha.5
  2. Login to panel
  3. Upgrade Kirby: composer require getkirby/cms:4.0.0-alpha.6
  4. Reload panel

Additional context

No solution:

Solution: Delete Accounts folder and recreate user.

plain-solutions-gmbh commented 1 year ago

Here is an example:https://kirby4.microman.ch/panel/site Let me find a way to reproduce it...

plain-solutions-gmbh commented 1 year ago

Okay. I find it out. It happens when you use kirby()->impersonate('kirby'); in the index of a plugin. It is up to your discretion whether there is a need for action here. I have tested it in version 3.9.2 and 3.9.6 and this error does not happen. (Here you will end up in an endless loop)

distantnative commented 1 year ago

It happens when you use kirby()->impersonate('kirby'); in the index of a plugin.

Do you mean just on top level of that file? Not in any extension callback or so? That would indeed render every request with full permissions.

afbora commented 1 year ago

@youngcut Do you have a copy of the plugin to test it?

plain-solutions-gmbh commented 1 year ago

I put impersonate it into this plugin which forces the bug. The plugin uses the Tree component (which is used in the link field) to display pages and files in a section. Feel free to use the code for Kirby 4.

I would recommend that impersonate only works if a function is provided in which the permissions are enabled.

plain-solutions-gmbh commented 1 year ago

The plugin uses the Tree component (which is used in the link field) to display pages and files in a section. Feel free to use the code for Kirby 4.

I keep on working on that plugin. If you're interesting to integrate layout: tree to pages and files section, please contact me via discord. (mr.microman)

distantnative commented 1 year ago

I think you misunderstood what impersonate does.

Calling 

$kirby->impersonate('kirby')

sets the current user as the almighty kirby user with full permissions until anything else is set or unset via $kirby->impersonate(null).

The impersonation will be active for all code that runs in the current request after the call to $kirby->impersonate().

As plugin index.php files get loaded on every request, when you're calling it here https://github.com/youngcut/k4-browser-section/blob/main/index.php#L5 you make every request - frontend and backend - run with the almighty kirby user. Hence, you didn't have to login to the Panel - almighty kirby user is already set and has full access.

So this is something you never really want to do. Using the call like you did makes sense e.g. in a route or so, where it's applied during a very specific request. But not just on top of a plugin file that gets loaded whenever.

The optional callback function is a way to limit the scope. So instead of having to reset it e.g. via $kirby->impersonate(null), you can wrap the call around your code that needs the permission and then only that code runs as almighty kirby user:

$kirby->impersonate('kirby', function () {
    // your code that needs the permissions
});