Frontend Login: You are not allowed to perform this action

Hey guys,

I have do the Security story step-by-step: http://flowframework.readthedocs.io/en/stable/TheDefinitiveGuide/PartIII/Security.html

I can register an account. All works. Only the login will not work. In the Logs I get the following:
Exception #1216919280 in line 75 of /var/www/www2.landmarkt.at/Data/Temporary/Development/Cache/Code/Flow_Object_Classes/Neos_Flow_Security_Authorization_RequestFilter.php: You are not allowed to perform this action.

In my database in the “neos_flow_security_account” table the “lastsuccessfulauthenticationdate” is correct, but after the “successfull” login I get a blank page and the error above.

This is my Policy.yaml:

privilegeTargets:
Neos\Flow\Security\Authorization\Privilege\Method\MethodPrivilege:
‘My.Website:LoginControllerActions’:
matcher: ‘method(Neos\Flow\Security\Authentication\Controller\AbstractAuthenticationController->.*Action()) || method(My\Website\Controller\LoginController->.*Action())’
‘My.Website:BonusControllerActions’:
matcher: ‘method(My\Website\Controller\BonusController->.*Action())’
‘My.Website:NewsControllerActions’:
matcher: ‘method(My\Website\Controller\NewsController->.*Action())’

roles:
‘Neos.Flow:Everybody’:
privileges:
-
privilegeTarget: 'My.Website:LoginControllerActions’
permission: GRANT
-
privilegeTarget: 'My.Website:BonusControllerActions’
permission: GRANT
-
privilegeTarget: ‘My.Website:NewsControllerActions’
permission: GRANT
’My.Website:Customer’:
privileges: []

Hi,

Can you insert the part of the exception (`You are not allowed to perform this action …) where it tells what controller and action it tries to access? The format looks something like this

    routeValues => array (
       @package => Vendor.App
       @controller => Controller
       @action => action
       @format => html
    )

Hey, thank you for your answer. This is my exception:

Exception #1216919280 in line 75 of /var/www/www2.My.at/Data/Temporary/Development/Cache/Code/Flow_Object_Classes/Neos_Flow_Security_Authorization_RequestFilter.php: You are not allowed to perform this action.

43 Neos\Flow\Security\Authorization\Interceptor\AccessDeny_Original::invoke()
42 Neos\Flow\Security\Authorization\RequestFilter_Original::filterRequest(Neos\Flow\Mvc\ActionRequest)
41 Neos\Flow\Security\Authorization\FilterFirewall_Original::blockIllegalRequests(Neos\Flow\Mvc\ActionRequest)
40 Neos\Flow\Mvc\Dispatcher_Original::dispatch(Neos\Flow\Mvc\ActionRequest, Neos\Flow\Http\Response)
39 Neos\Neos\Fusion\PluginImplementation_Original::evaluate()
38 Neos\Fusion\Core\Runtime_Original::evaluateObjectOrRetrieveFromCache(Neos\Neos\Fusion\PluginImplementation, “pageNeos.Neos:Page/bodyNeos.Fusion:Template/searchbox”, array|12|, array|5|)
37 Neos\Fusion\Core\Runtime_Original::evaluateInternal(“pageNeos.Neos:Page/bodyNeos.Fusion:Template/searchbox”, “NULL”, Neos\Fusion\FusionObjects\TemplateImplementation)
36 Neos\Fusion\Core\Runtime_Original::evaluate(“pageNeos.Neos:Page/bodyNeos.Fusion:Template/searchbox”, Neos\Fusion\FusionObjects\TemplateImplementation)
35 Neos\Fusion\FusionObjects\Helpers\FusionPathProxy_Original::objectAccess()
34 Neos\FluidAdaptor\Core\ViewHelper\TemplateVariableContainer::getByPath(“searchbox”, array|0|)
33 Frontend_Node_action_show_f6494a54e9d53dbe689a4f20233a6e6387b410a2::{closure}()
32 Frontend_Node_action_show_f6494a54e9d53dbe689a4f20233a6e6387b410a2::section_02083f4579e08a612425c0c1a17ee47add783b94(Neos\FluidAdaptor\Core\Rendering\RenderingContext)
31 TYPO3Fluid\Fluid\View\AbstractTemplateView::renderSection(“body”, array|9|, FALSE)
30 Neos\FluidAdaptor\View\AbstractTemplateView::renderSection(“body”)
29 Neos\Fusion\FusionObjects\TemplateImplementation_Original::evaluate()
28 Neos\Fusion\Core\Runtime_Original::evaluateObjectOrRetrieveFromCache(Neos\Fusion\FusionObjects\TemplateImplementation, “pageNeos.Neos:Page/body”, array|13|, array|5|)
27 Neos\Fusion\Core\Runtime_Original::evaluateInternal(“pageNeos.Neos:Page/body”, “NULL”, Neos\Fusion\FusionObjects\ArrayImplementation)
26 Neos\Fusion\Core\Runtime_Original::evaluate(“pageNeos.Neos:Page/body”, Neos\Fusion\FusionObjects\ArrayImplementation)
25 Neos\Fusion\FusionObjects\AbstractFusionObject::fusionValue(“body”)
24 Neos\Fusion\FusionObjects\ArrayImplementation_Original::evaluate()
23 Neos\Fusion\Core\Runtime_Original::evaluateObjectOrRetrieveFromCache(Neos\Fusion\FusionObjects\ArrayImplementation, “page”, array|21|, array|6|)
22 Neos\Fusion\Core\Runtime_Original::evaluateInternal(“page”, “Exception”)
21 Neos\Fusion\Core\Runtime_Original::render(“page”)
20 Neos\Fusion\FusionObjects\RendererImplementation_Original::evaluate()
19 Neos\Fusion\FusionObjects\MatcherImplementation_Original::evaluate()
18 Neos\Fusion\Core\Runtime_Original::evaluateObjectOrRetrieveFromCache(Neos\Fusion\FusionObjects\MatcherImplementation, “rootNeos.Fusion:Case/defaultNeos.Fusion:Matcher”, array|4|, array|5|)
17 Neos\Fusion\Core\Runtime_Original::evaluateInternal(“rootNeos.Fusion:Case/defaultNeos.Fusion:Matcher”, “Exception”)
16 Neos\Fusion\Core\Runtime_Original::render(“rootNeos.Fusion:Case/defaultNeos.Fusion:Matcher”)
15 Neos\Fusion\FusionObjects\CaseImplementation_Original::renderMatcher(“default”)
14 Neos\Fusion\FusionObjects\CaseImplementation_Original::evaluate()
13 Neos\Fusion\Core\Runtime_Original::evaluateObjectOrRetrieveFromCache(Neos\Fusion\FusionObjects\CaseImplementation, “root”, array|10|, array|6|)
12 Neos\Fusion\Core\Runtime_Original::evaluateInternal(“root”, “Exception”)
11 Neos\Fusion\Core\Runtime_Original::render(“root”)
10 Neos\Neos\View\FusionView_Original::render()
9 Neos\Flow\Mvc\Controller\ActionController_Original::callActionMethod()
8 Neos\Flow\Mvc\Controller\ActionController_Original::processRequest(Neos\Flow\Mvc\ActionRequest, Neos\Flow\Http\Response)
7 Neos\Flow\Mvc\Dispatcher_Original::initiateDispatchLoop(Neos\Flow\Mvc\ActionRequest, Neos\Flow\Http\Response)
6 Neos\Flow\Mvc\Dispatcher_Original::dispatch(Neos\Flow\Mvc\ActionRequest, Neos\Flow\Http\Response)
5 Neos\Flow\Mvc\DispatchComponent_Original::handle(Neos\Flow\Http\Component\ComponentContext)
4 Neos\Flow\Http\Component\ComponentChain_Original::handle(Neos\Flow\Http\Component\ComponentContext)
3 Neos\Flow\Http\Component\ComponentChain_Original::handle(Neos\Flow\Http\Component\ComponentContext)
2 Neos\Flow\Http\RequestHandler::handleRequest()
1 Neos\Flow\Core\Bootstrap::run()

HTTP REQUEST:
POST /login.html?–My_website-login%5B%40package%5D=My.website&–My_website-login%5B%40controller%5D=login&–My_website-login%5B%40action%5D=authenticate HTTP/1.1
Content-Length: 1025
Referer: http://www2.My.at/login.html
Upgrade-Insecure-Requests: 1
Connection: keep-alive
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.1 Safari/603.1.30
Origin: http://www2.My.at
Content-Type: application/x-www-form-urlencoded
Accept-Language: de-at
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Host: www2.My.at

–My_website-login%5B__referrer%5D%5B%40package%5D=My.Website&–My_website-login%5B__referrer%5D%5B%40subpackage%5D=&–My_website-login%5B__referrer%5D%5B%40controller%5D=Login&–My_website-login%5B__referrer%5D%5B%40action%5D=index&–My_website-login%5B__referrer%5D%5Barguments%5D=YTowOnt9f006847e158ec9cbd139606143c8d673ce96714d&__referrer%5B%40package%5D=Neos.Neos&__referrer%5B%40subpackage%5D=&__referrer%5B%40controller%5D=Frontend%5CNode&__referrer%5B%40action%5D=show&__referrer%5Barguments%5D=YToxOntzOjQ6Im5vZGUiO3M6Mzg6Ii9zaXRlcy93ZWJzaXRlL25vZGUtNTg3ZGMzZGQzNDBkN0BsaXZlIjt92f6f3d72037adbe988a4e95f1c4736c9c6acb4ed&–My_website-login%5B__trustedProperties%5D=a%3A0%3A%7B%7D557cb6d640a55b362cbebea4d1609d31e4da56d0&__authentication%5BNeos%5D%5BFlow%5D%5BSecurity%5D%5BAuthentication%5D%5BToken%5D%5BUsernamePassword%5D%5Busername%5D=66427&__authentication%5BNeos%5D%5BFlow%5D%5BSecurity%5D%5BAuthentication%5D%5BToken%5D%5BUsernamePassword%5D%5Bpassword%5D=gcv03jk

HTTP RESPONSE:
[response was empty]

PHP PROCESS:
Inode: 168819
PID: 5725
UID: 1000
GID: 33
User: My

If I give a wrong password, the redirect works - “Wrong username and pw” flash message.

If you look inside Data/Logs/System_Development.log there should be a reference to a method (controller->action) that is trying to be called - can you see if you can find it? I can’t see what method that it actually say that you are not allowed to perform.

Now it works. Thank you guy. I have only added an Template for the authenticate Action. For weeks, it works without the template.

Okay. Same error. Nothing changed. :frowning: I have no answer.

Hi @patriceckhart,

As @sorenmalling wrote there should be more information of which action is blocked and which roles where authenticated in your system log.

From the exception trace it looks like the page/body/searchbox plugin triggers the access denied exception. Try disabling that plugin to see if it works and - if so - make sure that the searchbox actions are whitelisted in your Policy.

Ok. I see. The problem is my ContentRepository.Search Plugin. Hm. Thank you guys!

1 Like

@sorenmalling asked me to re-open this thread:

I see that he uses a flowpack (?) package so i could expect others to run into the same issue
And isn’t it strange that the policy rule kicks in before the method has been called ? And already upon resolving the route ?

I’m not sure where the information comes from that this is a Flowpack package? But anyways, the policy is not enforced during routing but when Flow tries to execute an action (probably some indexAction of the SearchController in this example)

@patriceckhart Maybe you could quickly elaborate what it was in your case and whether the issue is solved for you!?

Hey Bastian!

The problem is unfortunately still not solved :frowning: If I disable the searchbox the login works. With the activated search box the login does not work. In the policy.yaml of the searchbox everything is whitelisted and the searchbox works fine, but not with my login.

@patriceckhart too bad. Can you please share the log entry (from Data/Logs/System(_Development).log) . At least that part that exactly tells you which method call was invoked and why.
It looks a little like this:

17-04-28 15:13:30 76058      CRITICAL  Flow                 Exception #1222268609 in line 62 of Data/Temporary/Development/Cache/Code/Flow_Object_Classes/Neos_Flow_Security_Aspect_PolicyEnforcementAspect.php: Access denied for method
Method: <The\Class>::<theMethod>()

Evaluated following 1 privilege target(s):
"<Some.Role>": ABSTAIN
(0 granted, 0 denied, 1 abstained)

Hey Bastian!

Thank you for your answer…

These are the last entries:
17-04-28 20:31:51 7604 DEBUG Flow CSRF: No token required, safe request
17-04-28 20:31:55 18158 DEBUG Flow Router route(): Route “Neos.Neos :: Frontend :: Homepage” matched the path “”.
17-04-28 20:31:55 18158 DEBUG Flow CSRF: No token required, safe request
17-04-28 20:31:56 18158 DEBUG Flow CSRF: No token required, safe request
17-04-28 20:31:56 18158 DEBUG Flow CSRF: No token required, safe request
17-04-28 20:32:02 24903 DEBUG Neos FrontendNodeRoutePartHandler matchValue(): No node found on request path "login.html"
17-04-28 20:32:02 24903 DEBUG Flow Router route(): Route “Neos.Neos :: Frontend :: content with URI suffix” matched the path “login.html”.
17-04-28 20:32:02 24903 DEBUG Flow CSRF: No token required, safe request
17-04-28 20:32:02 24903 DEBUG Flow CSRF: No token required, safe request
17-04-28 20:32:02 24903 DEBUG Flow CSRF: No token required, safe request
17-04-28 20:32:18 7604 DEBUG Neos FrontendNodeRoutePartHandler matchValue(): No node found on request path "login.html"
17-04-28 20:32:18 7604 DEBUG Flow Router route(): Route “Neos.Neos :: Frontend :: content with URI suffix” matched the path “login.html”.
17-04-28 20:32:20 7604 INFO Flow Session: Started session with id eH3C5eWYk0UGgDC0vFPm8Si89VxjxWdx.
17-04-28 20:32:20 7604 DEBUG Flow CSRF: No token required, method Neos\Neos\Controller\Frontend\NodeController::showAction() is tagged with a “skipcsrfprotection” annotation
17-04-28 20:32:20 7604 DEBUG Flow CSRF: No token required, method mywebsite\Website\Controller\LoginController::authenticateAction() is tagged with a “skipcsrfprotection” annotation
17-04-28 20:32:20 7604 DEBUG Flow CSRF: token was empty but a valid token is required for ContentRepository\Search\Controller\StandardController::searchboxAction()
17-04-28 20:32:20 7604 CRITICAL Flow Exception #1216919280 in line 75 of /var/www/www2.mywebsite.at/Data/Temporary/Development/Cache/Code/Flow_Object_Classes/Neos_Flow_Security_Authorization_RequestFilter.php: You are not allowed to perform this action. - See also: 201704282032189bb63d.txt

You might have the issue here - you seem to have annotated the method in your LoinController so that doesn’t generate a CSRF token and that causes the next method to throw a authentication exception.

First things first: Why was that annotation added? Is there some functionality that didn’t work without it?
Second thing second: Try and remove the annotation and try it again :slight_smile:

Hm, I need “Neos\Flow\Annotations as Flow” for @Flow\Inject?
/**
* @var \Neos\Flow\Security\Authentication\AuthenticationManagerInterface
* @Flow\Inject
*/
protected $authenticationManager;

Yes you do :slight_smile:

So I need it. Stand on a hose :frowning:

The issue I referer to, is that you have

@Flow\skipcsrfprotection in a action (you can find it in the log you posted). I aske why you need that annotation? Did you place it there?