BUG Ticket (closed)
history panel doesn't work with Auth/ACL
###What happened:
- when Auth/ACL is enabled, history panel doesn't have access to ToolbarAccessController::history_state() as it is not allow()ed by auth.
###What was expected:
- History panel to work
### Patch:
{{{
@@ -62,10 +62,14 @@ class ToolbarAccessController extends DebugKitAppController {
if (isset($this->Toolbar)) {
$this->Toolbar->enabled = false;
}
$this->helpers['DebugKit.Toolbar']['cacheKey'] = $this->Toolbar->cacheKey;
$this->helpers['DebugKit.Toolbar']['cacheConfig'] = 'debug_kit';
+
+ if (isset($this->Auth)) {
+ $this->Auth->allow('history_state');
+ }
}
/**
* Get a stored history state from the toolbar cache.
*
}}}
on 06.11.09
reported by: lecterror
owned by: mark_story
(works-for-me)
on 06.11.09
by mark_story
- owner was changed to mark_story
- status was changed to closed
- resolution was changed to works-for-me
No.
I'm not opening security holes in your application. Do this yourself, Sorry.
on 06.11.09
by lecterror
I thought toolbar was inactive when debug == 0? How is this a security hole?
What about this:
{{{
if (isset($this->Auth) && Configure::read('debug') > 0) {
$this->Auth->allow('history_state');
}
}}}
It seems rather silly for every developer out there who will use DebugKit and Auth (everyone?) to add a special case in their app, when it can be solved in one place.
on 06.11.09
by mark_story
Well it opens a security hole in that you, are providing free unrestricted access to the toolbar cache. So someone could easily obtain sensitive data about your application simply by asking for it.
Also since you are allow() the access in the initialize it doesn't matter that the toolbar is disabled, the access will still be granted. It is a bit better with the debug check. But I'm still very much opposed to the component allowing access to sensitive data without being expressly given permission.
on 06.11.09
by lecterror
I understand your point of view, however, you're assuming a few illogical things.
For one, you're assuming someone would deploy their site on a production server _with_ DebugKit and _leave it that way_.
Second, you assume debug level > 0 on a production server, since you also have
{{{
if (Configure::read('debug') == 0) {
return $this->redirect($this->referer());
}
}}}
...in history_state(), effectively removing the need for the check in beforeFilter (but it abviously won't hurt if included).
It is reasonable to assume that _with_ DebugKit deployed **and** debug switched on it _is_ a security risk. But if you have those two conditions, you have bigger problems than history panel being available, IMHO.
Maybe a compromise would be to add this as a configuration setting...?
on 10.27.09
by ramavarsh
i had the same problem when integrating with auth/acl.<br>i tried to allow history_state thru auth but it dint help.<br>the way i overcame the problem (display debugkit) was by including the panels explicitly excluding sql log panel<br>{{{
var $components = array ('DebugKit.Toolbar' => array ('panels' => array ('history', 'session', 'request', 'timer', 'log', 'variables')), 'Auth', 'Acl');}}}<br> Its not a solution but a work around, just thought it may help to debug the problem. <br> Thanks a lot for the debugkit.
