Ajax widget in neos backend module

Using Neos & Flow Flow App Development
1

Is it possible to create an own fluid ajax widget for a neos backend module? I keep getting a #1258721059: The security context contained no tokens which could be authenticated. message for the URL ?action=<widgetname>&__widgetId=2 that was generated by f:widget.uri.

I’am logged in as TYPO3.Neos:Administrator in the backend. The privilege target for the WidgetController seems to match (Evaluated following 1 privilege target(s):"<PolicyTarget>": ABSTAIN).

If I give the privilege target to TYPO3.Flow:Everybody, everything works fine.

2

Hey Stefan,

could you post the relevant parts of your Policy.yaml and Settings.yaml files? If the Privilege Target says “ABSTAIN”, this means it could not be matched to the current request. It should say “GRANT” if everything works.

If you post the snippets, I am confident we’ll be able to help out :slight_smile:

Thanks a lot,
Sebastian

3

Policy.yaml:

privilegeTargets:

  'TYPO3\Flow\Security\Authorization\Privilege\Method\MethodPrivilege':
<...>
    'My.Package:MyWidget':
      matcher: 'method(My\Package\ViewHelpers\Widget\Controller\MyWidgetController->(index|initialize|myWidget)Action())'
roles:
  'My.Package:MyPackage_Editor':
    privileges:
<...>
      -
        privilegeTarget: 'My.Package:MyWidget'
        permission: GRANT    
  'My.Package:MyPackage_Admin':
    parentRoles: ['My.Package:MyPackage_Editor']
    privileges:
<...>
  'TYPO3.Neos:Administrator':
    privileges:
<...>
      -
        privilegeTarget: 'My.Package:MyWidget'
        permission: GRANT

The current user has all three roles (TYPO3.Neos:Administrator, My.Package:MyPackage_Editor, My.Package:MyPackage_Admin).

The Settings.yaml of the package contains only package specific settings, the configuration for the submodule overview for TYPO3.Neos and some config concerning contentDimensions for TYPO3.CR.

This is the exception log file:

Uncaught exception #1258721059 in line 61 of /var/www/html/Neos/Data/Temporary/Development/Cache/Code/Flow_Object_Classes/TYPO3_Flow_Security_Aspect_PolicyEnforcementAspect.php: The security context contained no tokens which could be authenticated.
Evaluated following 1 privilege target(s):
"My.Package:MyWidget": ABSTAIN
(0 granted, 0 denied, 1 abstained)

17 TYPO3\Flow\Security\Authorization\Interceptor\PolicyEnforcement_Original::invoke()
16 TYPO3\Flow\Security\Aspect\PolicyEnforcementAspect_Original::enforcePolicy(TYPO3\Flow\Aop\JoinPoint)
15 TYPO3\Flow\Aop\Advice\AroundAdvice::invoke(TYPO3\Flow\Aop\JoinPoint)
14 TYPO3\Flow\Aop\Advice\AdviceChain::proceed(TYPO3\Flow\Aop\JoinPoint)
13 My\Package\ViewHelpers\Widget\Controller\MyWidgetController::initializeAction()
12 TYPO3\Flow\Mvc\Controller\ActionController_Original::processRequest(TYPO3\Flow\Mvc\ActionRequest, TYPO3\Flow\Http\Response)
11 TYPO3\Fluid\Core\Widget\AbstractWidgetController::processRequest(TYPO3\Flow\Mvc\ActionRequest, TYPO3\Flow\Http\Response)
10 TYPO3\Flow\Mvc\Dispatcher_Original::initiateDispatchLoop(TYPO3\Flow\Mvc\ActionRequest, TYPO3\Flow\Http\Response)
9 TYPO3\Flow\Mvc\Dispatcher_Original::dispatch(TYPO3\Flow\Mvc\ActionRequest, TYPO3\Flow\Http\Response)
8 call_user_func_array(array|2|, array|2|)
7 TYPO3\Flow\Object\DependencyInjection\DependencyProxy::__call("dispatch", array|2|)
6 TYPO3\Flow\Object\DependencyInjection\DependencyProxy::dispatch(TYPO3\Flow\Mvc\ActionRequest, TYPO3\Flow\Http\Response)
5 TYPO3\Fluid\Core\Widget\AjaxWidgetComponent_Original::handle(TYPO3\Flow\Http\Component\ComponentContext)
4 TYPO3\Flow\Http\Component\ComponentChain_Original::handle(TYPO3\Flow\Http\Component\ComponentContext)
3 TYPO3\Flow\Http\Component\ComponentChain_Original::handle(TYPO3\Flow\Http\Component\ComponentContext)
2 TYPO3\Flow\Http\RequestHandler::handleRequest()
1 TYPO3\Flow\Core\Bootstrap::run()

HTTP REQUEST:
GET /neos/MyPackage/address/new?%40action=myWidget&__widgetId=0&term=asdf HTTP/1.1
Host: dev.neos:8080
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://dev.neos:8080/neos/MyPackage/address/new
Connection: keep-alive



HTTP RESPONSE:
[response was empty]

If you need further information, please feel free to ask.

Stefan

4

I’ve done some further tests and injected the \TYPO3\Flow\Security\Context into the widget controller.

While $this->securityContext->getRoles() returns a sum of nine roles (including the TYPO3.Neos:Administrator and my package specific roles) in a normal \TYPO3\Flow\Mvc\Controller\ActionController, it contains only TYPO3.Flow:Everybody and TYPO3.Flow:Anonymous in the widget controller.

Looks like my backend user does not authenticate - even if the TYPO3_Flow_Session-cookie was send with the request.

5

Do you have any ideas regarding this? Or suggestions for further tests?

Has anybody else managed to get an ajax viewhelper to work in a neos backend module?

6

The widget URI is handled by the AjaxWidgetComponent. The function$ajaxWidgetComponent->handle() sets the packge key, the controller object name and the action name for the $actionRequest directly to My.Package, MyWidgetController and myWidget (the action name).

A standard request to a neos backend module (e.g GET http://localhost/neos/MyPackage/topic) redirects to TYPO3\Neos\Controller\Backend\BackendController.

After some debugging, I believe that this leads to a problem at the ControllerObjectName request pattern. Compared to standard requests that match here to the Typo3BackendProvider token, requests to ajax widgets do not match. The reason for this behaviour is the regex for the controllerObjectNamePattern.

controllerObjectNamePattern = TYPO3\Neos\Controller\.*|TYPO3\Neos\Service\.*|TYPO3\Media\Controller\.*
matches
TYPO3\Neos\Controller\Backend\BackendController
but does not match
My\Package\ViewHelpers\Widget\Controller\MyWidgetController

This leads me back to my initial question: Are ajax widgets really supported in neos backend modules?