Explain the security components about docs HOT 13 OPEN

I have added a Services reference article in 89850dd, which includes the TokenChecker service, as well as the security.helper service from Symfony. The descriptions are rather minimal at the moment. If the security components require their own fully fledged article, we can still add one under Framework, in addition to the reference.

from docs.

$tokenChecker->isPreviewMode() method, described there, only returns true if you in preview mode AND have "show unpublished" enabled. So you can't rely upon it if you just want to check whether you are in preview mode.

from docs.

The method isn't really described in 89850dd (if that is what you mean). It is just mentioned, that it is available. The description within the code says the following:

Tells whether the front end preview can show unpublished fragments.

from docs.

Tells whether the front end preview can show unpublished fragments.

Yes, but 89850dd and Toflar's post give an impression that this is the method used to check whether or not we are in FE preview mode - which is not correct.

from docs.

/cc @aschempp

from docs.

There might be a confusion. Preview mode historically means being logged in to the back end and enabling show unpublished. It is not a representation whether one is visiting the front end through preview.php.

Regarding the services:

• ScopeMatcher is related to routing, it tells which scope the current route is on. Because firewalls listen to scopes, it (most likely) also tells which firewall is active. But it does not tell about authentication and authorization.
• TokenChecker can perform some checks on the firewall token, event if the requested firewall might not be active (e.g. check the back end firewall in the front end). It only checks authentication (user is logged in) but not authorization (what permissions are available).
• SecurityHelper handles authentication (getUser) and authorization (isGranted) on the current firewall.

There is no way to check authorizations across firewalls, e.g. check if a back end user is allowed to access tl_page from the front end.

from docs.

I want to make it clear - I don't have any questions regarding the method itself (although its name is a bit misleading). This is only about the docs. The docs say there's a service to check whether the token for the preview mode is present, which is not exactly what that service does.

from docs.

@ameotoko That's what @aschempp is saying. The preview mode is not the same as the preview script. And the front end preview token is only available, if you enabled show unpublished. If you are using the default preview.php, but without having show unpublished enabled, the FrontendPreviewToken will not be present.

from docs.

Well, I just tested it, and it's not true.
https://github.com/contao/core-bundle/blob/master/src/Security/Authentication/Token/TokenChecker.php#L142

        return $token instanceof FrontendPreviewToken && $token->showUnpublished();

$token is an instance of FrontendPreviewToken every time you access FE through preview.php, regardless of show unpublished setting.

from docs.

Interesting, in my case it was alway null. Anyways, we can change the wording:

-It allows you to check, whether a token for a front end user, back end user or the preview mode is present.
+It allows you to check whether a token for a front end user or back end user is present or whether the preview mode is enabled within the front end preview token.

Btw. you can quickly make pull requests yourself by clicking on the edit this page link in the top right corner of the docs ;)

from docs.

So, the Preview mode is meant to be this show unpublished setting? I always thought Preview mode is the mode accessed through preview.php, which can do two independent things:

• preview unpublished changes
• impersonate frontend user

Btw. you can quickly make pull requests yourself simply by clicking on the edit this page link in the top right corner of the docs ;)

If I knew this thread will grow so long, I would just do a PR instead :)

from docs.

So, the Preview mode is meant to be this show unpublished setting?

Yes, see aschempp's comment:

Preview mode historically means being logged in to the back end and enabling show unpublished.

--

I always thought Preview mode is the mode accessed through preview.php, which can do two independent things:

The FrontendPreviewToken can impersonate back end users, which is used by the BackendPreviewController (/contao/preview route), which enforces that it is accessed through the configured preview entry point.

from docs.

The FrontendPreviewToken is set if you click on the "show in frontend" link in the backend. If you manually enter the preview.php url, the token will not be set. (as far as I know)

from docs.