Merge pull request #734 from Erwane/729-v3-authorization-fail

#729 v3 authorization fail

Author: markstory

composer.json

@@ -31,6 +31,7 @@
         "jdorn/sql-formatter": "^1.2.0"
     },
     "require-dev": {
+        "cakephp/authorization": "^1.3.2",
         "cakephp/cakephp-codesniffer": "^3.0",
         "phpunit/phpunit": "^5.7.14|^6.0"
     },

docs/en/index.rst

@@ -44,12 +44,14 @@ Configuration
     // Allow e.g. http://foo.bar.dev or http://my-shop.local domains locally
     Configure::write('DebugKit.safeTld', ['dev', 'local', 'example']);
 
-* ``DebugKit.forceEnable`` - Force DebugKit to display. Careful with this, it is usually 
+* ``DebugKit.forceEnable`` - Force DebugKit to display. Careful with this, it is usually
   safer to simply whitelist your local TLDs. Example usage::
 
     // Before loading DebugKit
     Configure::write('DebugKit.forceEnable', true);
 
+* ``DebugKit.ignoreAuthorization`` - Set to true to ignore Cake Authorization plugin for DebugKit requests. Disabled by default.
+
 Database Configuration
 ----------------------
 
@@ -77,7 +79,7 @@ connection in your **config/app.php** file. For example::
         //'init' => ['SET GLOBAL innodb_stats_on_metadata = 0'],
     ],
 
-You can safely remove the **tmp/debug_kit.sqlite** file at any point. 
+You can safely remove the **tmp/debug_kit.sqlite** file at any point.
 DebugKit will regenerate it when necessary.
 
 Toolbar Usage

docs/fr/index.rst

@@ -30,6 +30,11 @@ Ensuite, vous devez activer le plugin en exécutant la ligne suivante::
 
     bin/cake plugin load DebugKit
 
+Configuration
+=============
+
+* ``DebugKit.ignoreAuthorization`` - Définie à true pour ignorer le plugin Cake Authorization uniquement pour les requêtes DebugKit. Par défaut à false.
+
 Stockage de DebugKit
 ====================
 

src/Controller/ComposerController.php

@@ -13,10 +13,6 @@
  */
 namespace DebugKit\Controller;
 
-use Cake\Controller\Controller;
-use Cake\Core\Configure;
-use Cake\Event\Event;
-use Cake\Http\Exception\NotFoundException;
 use Cake\View\JsonView;
 use Composer\Console\Application;
 use Symfony\Component\Console\Input\ArrayInput;
@@ -25,9 +21,8 @@
 /**
  * Provides utility features need by the toolbar.
  */
-class ComposerController extends Controller
+class ComposerController extends DebugKitController
 {
-
     /**
      * {@inheritDoc}
      */
@@ -38,20 +33,6 @@ public function initialize()
         $this->viewBuilder()->setClassName(JsonView::class);
     }
 
-    /**
-     * Before filter handler.
-     *
-     * @param \Cake\Event\Event $event The event.
-     * @return void
-     * @throws \Cake\Http\Exception\NotFoundException
-     */
-    public function beforeFilter(Event $event)
-    {
-        if (!Configure::read('debug')) {
-            throw new NotFoundException();
-        }
-    }
-
     /**
      * Check outdated composer dependencies
      *

src/Controller/DashboardController.php

@@ -12,29 +12,22 @@
  */
 namespace DebugKit\Controller;
 
-use Cake\Controller\Controller;
-use Cake\Core\Configure;
 use Cake\Event\Event;
-use Cake\Http\Exception\NotFoundException;
 
 /**
  * Dashboard and common DebugKit backend.
  */
-class DashboardController extends Controller
+class DashboardController extends DebugKitController
 {
     /**
      * Before filter handler.
      *
      * @param \Cake\Event\Event $event The event.
      * @return void
-     * @throws \Cake\Http\Exception\NotFoundException
      */
     public function beforeFilter(Event $event)
     {
-        // TODO add config override.
-        if (!Configure::read('debug')) {
-            throw new NotFoundException('Not available without debug mode on.');
-        }
+        parent::beforeFilter($event);
 
         $this->viewBuilder()->setLayout('dashboard');
     }

src/Controller/DebugKitController.php

@@ -0,0 +1,54 @@
+<?php
+/**
+ * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
+ * Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
+ *
+ * Licensed under The MIT License
+ * Redistributions of files must retain the above copyright notice.
+ *
+ * @copyright     Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
+ * @link          http://cakephp.org CakePHP(tm) Project
+ * @license       http://www.opensource.org/licenses/mit-license.php MIT License
+ */
+namespace DebugKit\Controller;
+
+use Cake\Controller\Controller;
+use Cake\Core\Configure;
+use Cake\Event\Event;
+use Cake\Http\Exception\NotFoundException;
+use Cake\Log\Log;
+
+/**
+ * DebugKit Controller.
+ */
+class DebugKitController extends Controller
+{
+    /**
+     * Before filter handler.
+     *
+     * @param \Cake\Event\Event $event The event.
+     * @return void
+     * @throws \Cake\Http\Exception\NotFoundException
+     */
+    public function beforeFilter(Event $event)
+    {
+        if (!Configure::read('debug')) {
+            throw new NotFoundException('Not available without debug mode on.');
+        }
+
+        // If CakePHP Authorization\Authorization plugin is enabled,
+        // ignore it, only if `DebugKit.ignoreAuthorization` is set to true
+        $authorizationService = $this->getRequest()->getAttribute('authorization');
+        if ($authorizationService instanceof \Authorization\AuthorizationService) {
+            if (Configure::read('DebugKit.ignoreAuthorization')) {
+                $authorizationService->skipAuthorization();
+            } else {
+                Log::info(
+                    "Cake Authorization plugin is enabled. If you would like " .
+                    "to force DebugKit to ignore it, set `DebugKit.ignoreAuthorization` " .
+                    " Configure option to true."
+                );
+            }
+        }
+    }
+}

src/Controller/MailPreviewController.php

@@ -14,9 +14,7 @@
 namespace DebugKit\Controller;
 
 use Cake\Collection\CollectionInterface;
-use Cake\Controller\Controller;
 use Cake\Core\App;
-use Cake\Core\Configure;
 use Cake\Core\Plugin as CorePlugin;
 use Cake\Event\Event;
 use Cake\Http\Exception\NotFoundException;
@@ -33,22 +31,8 @@
  *
  * @property \DebugKit\Model\Table\PanelsTable $Panels
  */
-class MailPreviewController extends Controller
+class MailPreviewController extends DebugKitController
 {
-    /**
-     * Before filter callback.
-     *
-     * @param \Cake\Event\Event $event The beforeFilter event.
-     * @return void
-     * @throws \Cake\Http\Exception\NotFoundException
-     */
-    public function beforeFilter(Event $event)
-    {
-        if (!Configure::read('debug')) {
-            throw new NotFoundException();
-        }
-    }
-
     /**
      * Before render handler.
      *

src/Controller/PanelsController.php

@@ -12,8 +12,6 @@
  */
 namespace DebugKit\Controller;
 
-use Cake\Controller\Controller;
-use Cake\Core\Configure;
 use Cake\Event\Event;
 use Cake\Http\Exception\NotFoundException;
 
@@ -22,31 +20,15 @@
  *
  * @property \DebugKit\Model\Table\PanelsTable $Panels
  */
-class PanelsController extends Controller
+class PanelsController extends DebugKitController
 {
-
     /**
      * components
      *
      * @var array
      */
     public $components = ['RequestHandler', 'Cookie'];
 
-    /**
-     * Before filter handler.
-     *
-     * @param \Cake\Event\Event $event The event.
-     * @return void
-     * @throws \Cake\Http\Exception\NotFoundException
-     */
-    public function beforeFilter(Event $event)
-    {
-        // TODO add config override.
-        if (!Configure::read('debug')) {
-            throw new NotFoundException();
-        }
-    }
-
     /**
      * Before render handler.
      *

src/Controller/RequestsController.php

@@ -12,32 +12,24 @@
  */
 namespace DebugKit\Controller;
 
-use Cake\Controller\Controller;
-use Cake\Core\Configure;
 use Cake\Event\Event;
-use Cake\Http\Exception\NotFoundException;
 
 /**
  * Provides access to panel data.
  *
  * @property \DebugKit\Model\Table\RequestsTable $Requests
  */
-class RequestsController extends Controller
+class RequestsController extends DebugKitController
 {
-
     /**
      * Before filter handler.
      *
      * @param \Cake\Event\Event $event The event.
      * @return void
-     * @throws \Cake\Http\Exception\NotFoundException
      */
     public function beforeFilter(Event $event)
     {
-        // TODO add config override
-        if (!Configure::read('debug')) {
-            throw new NotFoundException();
-        }
+        parent::beforeFilter($event);
 
         $this->response = $this->response->withHeader('Content-Security-Policy', '');
     }

src/Controller/ToolbarController.php

@@ -13,17 +13,13 @@
 namespace DebugKit\Controller;
 
 use Cake\Cache\Cache;
-use Cake\Controller\Controller;
-use Cake\Core\Configure;
-use Cake\Event\Event;
 use Cake\Http\Exception\NotFoundException;
 
 /**
  * Provides utility features need by the toolbar.
  */
-class ToolbarController extends Controller
+class ToolbarController extends DebugKitController
 {
-
     /**
      * components
      *
@@ -38,21 +34,6 @@ class ToolbarController extends Controller
      */
     public $viewClass = 'Cake\View\JsonView';
 
-    /**
-     * Before filter handler.
-     *
-     * @param \Cake\Event\Event $event The event.
-     * @return void
-     * @throws \Cake\Http\Exception\NotFoundException
-     */
-    public function beforeFilter(Event $event)
-    {
-        // TODO add config override.
-        if (!Configure::read('debug')) {
-            throw new NotFoundException();
-        }
-    }
-
     /**
      * Clear a named cache.
      *