Secured Shop Admin Backend in Neos Documentation?

[lsascha]

Hello, first thank you for making it compatible with Neos 3.0 so quickly. :)

One thing however i noticed is that the Admin Backend is not secured by default, so we have to use the Framework way to do this.

I got that working too now, Only one small thing i noticed is that the Simple Mode does not send the csrf_token for the graphs. so i think thats the reason i only see the spinners in the Dashboard and the XHR Request shows You are not allowed to perform this action. in the browser debugger though i allowed the Jsonadm Controller.

So far everything i tried from the Expert Mode works, and i saw the csrf_token send there. So the Expert Mode works.

Also Unfortunately its nowhere really documented how to configure how to secure the Shop Admin Backend for Neos. Maybe that could be documented?

My Configuration for it is the following
(not sure if thats the correct NamePattern of the controllers. Will have to check if the Controller accessible to everybody has any action that users should not be able to execute):

Settings.yaml

Neos:
  Flow:
    security:
      authentication:
        providers:
          'Neos.Neos:Backend':
            requestPatterns:
              'MyShop:AdminControllers':
                pattern: 'ControllerObjectName'
                patternOptions:
                  controllerObjectNamePattern: 'Aimeos\Shop\Controller\(Admin|Extadm|Jsonadm|Jqadm).*'

Policy.yaml

privilegeTargets:
  Neos\Flow\Security\Authorization\Privilege\Method\MethodPrivilege:
    'MyShop:AllActions':
      matcher: 'method(Aimeos\Shop\Controller\(Catalog|Locale|Account|Basket|Checkout|Page|Jsonapi)Controller->(.*)Action())'

    'MyShop:AdminActions':
      matcher: 'method(Aimeos\Shop\Controller\(Admin|Extadm|Jsonadm|Jqadm)Controller->(.*)Action())'

roles:
  'Aimeos.Shop:ShopAdmin':
    privileges:
      -
        privilegeTarget: 'MyShop:AllActions'
        permission: GRANT
      -
        privilegeTarget: 'MyShop:AdminActions'
        permission: GRANT

  'Neos.Flow:Everybody':
    privileges:
      -
        privilegeTarget: 'MyShop:AllActions'
        permission: GRANT

Sorry for the long text, and thanks for that nice shop system. ;)

[aimeos]

Thanks for posting your configuration! :-)

The XHR requests made to the JSON admin API by the JQAdm interface are all GET requests. CSRF tokens are only useful for HTTP verbs like DELETE, PATCH, POST and PUT. If you can adapt your configuration this way, we will update our documentation.

[lsascha]

Hi, No problem.

The JQAdm Interface itself works, only the Graphs in the Dashboard do not show up.

And according to my Browser debugger this is an OPTIONS request.

[aimeos]

You are right, first an OPTIONS then a GET request. OPTIONS requests are also non-modifying, so a CSRF token shouldn't be added there too.

[aimeos]

@lsascha Did you find out how to configure Flow to allow OPTIONS requests without CSRF token?

[lsascha]

Sorry for the late reply. No i haven't yet found a solution for it and haven't found something in the documentation for it yet. :/

[aimeos]

Did you ask in the Neos forum if somebody knows an answer?