How create controller action without requiring user authorization?

I need to create controller action, which doesn’t require user authorization. So everyone could see create page without authorization. Is it possible to do in OroPlatform?

Topic

[Yurii MuratovParticipant]

Hi, @maksold.
Yes, it’s possible.
For this, in security.yml config file you should add new firewall that will allow access to some routes for anonymous users (without authorization). This firewall should be added before main firewall:

... firewalls: ... anonymouspages: pattern: ^/anonymous security: false anonymous: true ... main: ...

1 2 3 4 5 6 7 8 9 10 11 12

... firewalls: ...         anonymouspages:             pattern: ^/anonymous             security:                       false             anonymous:                      true ...         main: ...

With this firewall, all url that start with anonymous, for example http://domain.com/anonymous/some_data, will have access for non logged users.

After this, you can create your controller action that will be available for all users.

But in this case, in template of your action, you should not use standart oro action templates because they have a lot of ACL checks which will not work at such page.

[maksoldParticipant]

Thanks, @yurio, but it doesn’t work(((

1) I edited vendor/oro/platform/src/Oro/Bundle/DistributionBundle/Resources/config/security.yml

firewalls: oroapi: pattern: ^/oroapi security: false anonymous: true dev: pattern: ^/(_(profiler|wdt)|css|images|js)/ security: false login: pattern: ^/login$ security: false main: ...

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

firewalls:         oroapi:             pattern:                        ^/oroapi             security:                       false             anonymous:                      true         dev:             pattern:                        ^/(_(profiler|wdt)|css|images|js)/             security:                       false         login:             pattern:                        ^/login$             security:                       false         main: ...

2) Here is my controller and routing.yml => https://www.evernote.com/l/APIAbnQ3YrZB9rY-OSec3WuI4u41DF4mq64
3) Then I cleared cache.

When I’m opening my http://orocon.dev/web/app_dev.php/oroapi/index, it redirects to login page. But when I open this ulr as logged in user, it works.

Here is request Timeline (when user is logged out) => https://www.evernote.com/l/APLcLnw5b4lArro4Hck3_F8KyjQNnbQr6rA

What is wrong? Why it redirects me to login page?

[maksoldParticipant]

Can any one help?

[Yurii MuratovParticipant]

Hi, @maksold.
You should edit app/config/security.yml file, not the security.yml from the DistributionBundle.
Here my configuration what works:

app/config/security.yml file: https://gist.github.com/yurio/01b39ff792be73c25851
At line 43 i have anonymouspages firewall what allow links started with anonymous.

The next thing, i have test bundle AcmeAnonymousBundle. src/Acme/Bundle/AnonymousBundle/Resources/config/oro/routing.yml file:
https://gist.github.com/yurio/77eabe9c511ae8e52731

And the controller: https://gist.github.com/yurio/31a5e3e9ab76d8d0842a

[RodolfoParticipant]

Hi @yurio,

Do you know an alternative way to create a page without authentication only editing files from inside a bundle? I’m developing something that will call orocrm using webhooks. (similar idea of what we have now with tracking javascript calling tracking.php)

I’m thinking to create a method to move the endpoint file from the bundle to /web folder but obviously not sure if it’s the best approach.

Thank you.

[RodolfoParticipant]

Editing DependencyInjection to load security.yml generates this:

Fatal error: Uncaught exception ‘Symfony\Component\DependencyInjection\Exception\InvalidArgumentException’ with message ‘There is no extension able to load the configuration for “security”

So.. Why DistributionBundle can override security.yml and my bundle not?

Thanks!!

[Yurii MuratovParticipant]

Hi, @rbandeira.

security.yml file in DistributionBundle does not override main application security.yml file. This bundle have own start point install.php in web directory.
This start point have own kernel class DistributionKernel in app directory.
This kernel have own main config files that stores at app/config/dist directory.
config.yml file from this directory imports security.yml file from the DistributionBundle.

In your case, if you just want to create anonymous firewall from your bundle, you can do it with Resources/config/oro/app.yml file in your bundle. Here you can add application configurations. And here you can modify security preferences too. Some info about this file you can find here https://github.com/orocrm/platform/blob/master/src/Oro/Bundle/PlatformBundle/README.md#add-application-configuration-settings-from-any-bundle.
We use app.yml file to modify security firewalls in SSOBundle https://github.com/orocrm/platform/blob/master/src/Oro/Bundle/SSOBundle/Resources/config/oro/app.yml.
And our orocommerce application use app.yml file to add custom security firewalls for this application https://github.com/orocommerce/orocommerce/blob/master/src/OroB2B/Bundle/AccountBundle/Resources/config/oro/app.yml.

[RodolfoParticipant]

Hi @yurio

Thanks for the information. I added the Resources/config/oro/app.yml. Debugging the class YamlCumulativeFileLoader I can see the file being loaded by Oro.

But the application keeps redirecting the requests to /user/login. I tried to set the priority on bundle config to -100, -1000 and nothing.

Do you know what else should I verify in order to bypass this login page?
Thank you.

This is my app.yml:

security: firewalls: livechat_integration: pattern: ^/livechat_integration security: false anonymous: true

1 2 3 4 5 6

security:     firewalls:         livechat_integration:             pattern:                        ^/livechat_integration             security:                       false             anonymous:                      true

Route:

demac_oro_livechat_integration_homepage: resource: "@DemacOroLivechatIntegrationBundle/Controller" type: annotation prefix: /livechat_integration

1 2 3 4

demac_oro_livechat_integration_homepage:     resource:     "@DemacOroLivechatIntegrationBundle/Controller"     type:         annotation     prefix:       /livechat_integration

[RodolfoParticipant]

Hi @yurio

dev.log:

[2015-12-16 16:25:12] security.INFO: An AuthenticationException was thrown; redirecting to authentication entry point. {“exception”:”[object] (Symfony\\Component\\Security\\Core\\Exception\\AuthenticationCredentialsNotFoundException: A Token was not found in the TokenStorage.

oro/app.yml:

YAML

security: firewalls: livechat_integration: pattern: ^/livechat/integration provider: chain_provider anonymous: true access_control: - { path: ^/livechat/integration, role: IS_AUTHENTICATED_ANONYMOUSLY }

1 2 3 4 5 6 7 8 9

security:     firewalls:         livechat_integration:             pattern: ^/livechat/integration             provider:  chain_provider             anonymous: true                  access_control:         - { path: ^/livechat/integration, role: IS_AUTHENTICATED_ANONYMOUSLY }

Do you know something else that can help me? It should be working. Even configuring exactly with the same structure we can see here doesn’t work.

[RodolfoParticipant]

Found what was going on.

I thought that anonymouspages directive was in master branch of oro. (security.yml). Adding it manually works.

Thank you

[Yurii MuratovParticipant]

Hi, @rbandeira.

If you work at 1.8 platform, you should add your new firewall to main security.yml file.
In 1.9-RC we have a possibility to add custom firewalls at the bundle level.

[Author]

Replies