ContentBox [4.2.1+737] - Struggling with whitelist

I have a custom module within the Contentbox admin. One of the events I need to fire is:
http://[site]/cbadmin/module/madmin/search/quickRebuild
Dumping the prc, the CurrentRoutedURL value is “madmin/search/quickRebuild/”

I need to set this event up as a scheduled task, but that means I need to NOT get the cbadmin login screen. I have tried a variety of things and none of them have worked. My latest is:

I have that order set to -100 just to get it to the top. (Can’t figure out why the dragging the security rules up and down…what impact that has, it doesn’t change that “Firing Order Index”.)

I have also tried this:

…but that doesn’t work either. The wiki page for Security Rules is blank, so no help there.

Can anyone tell me how to structure this properly so that I can hit this URL (or event, whichever) without getting a login screen?

Anyone have any help on this one? I’m a bit stuck until I can get through this hiccup.

cc/ @lmajano @gpickin

Pardon my ignorance, but ContentBox 4 uses cbSecurity, right? I just wanted to confirm that out of the gate, as I confess I’m not a ContentBox expert.

Here’s what I would try:

1. Since you said "the CurrentRoutedURL value is madmin/search/quickRebuild/, try setting that as the whitelist value. (i.e. remove the cbadmin/module part, since I don’t think it’s relevant. Remember, you’re whitelisting the route URL… not the filesystem path. )
2. Paste your entire cbsecurity rule config into this thread. The screenshot could be covering up some goofy mistake that we all make from time to time - like an extra space where there shouldn’t be one.
3. If 1 or 2 does not work, try adding some logbox config to your Coldbox.cfc to enable cbSecurity’s debug logging

something like this:

logBox = {
 logBox = {
    // Define Appenders
    appenders = {
        cfappender = {
            class="coldbox.system.logging.appenders.ConsoleAppender"
        }
    },
    debug = [ "modules.cbsecurity.interceptors" ],
    // Root Logger
    root = { levelmax="ERROR", appenders="*" }
};

Then reinit the application and run box server log --follow. If that "modules.cbsecurity.interceptors" module path is right, you should see debug messages from cbSecurity for every route.

Okay, I’m no logbox expert, clearly. Spent most of the day struggling with it, finally gave up and just slapped some writeLog() commands into the cbsecurity interceptor.

First, I modified the very first rule, and it’s the only one that contains my whitelist value. (Note: Above you suggested putting the madmin/search/quickRebuilt, but all of the Contentbox built-in rules are event-based so guessing that wouldn’t work. )

So, after everything’s up and running, log cleared, and I attempt to hit my handler, my new logging entry shows this (just trying to compare the whitelisting operation), just the relevant entries:

“MANUAL LOG: ‘contentbox-admin:modules.execute’ NOT found in whitelist: .*madmin.search.quickRebuild$”
“User did not validate security for secured match target=contentbox-admin:modules.execute. Rule: {MESSAGE={}, ISDELETED={false}, MESSAGETYPE={Info}, MATCH={event}, PERMISSIONS={MODULES_ADMIN}, RULEID={1}, ORDER={1}, CREATEDDATE={2021-02-18 20:53:24.0}, WHITELIST={.*madmin.search.quickRebuild$}, SECURELIST={^contentbox-admin:modules…*}, USESSL={false}, MODIFIEDDATE={2021-04-01 13:50:05.0}, ROLES={}, REDIRECT={cbadmin/security/login}}”
“MANUAL LOG: ‘contentbox-security:security.login’ NOT found in whitelist: .*madmin.search.quickRebuild$”

Obviously, my URL (or event) doesn’t seem to matter. The comparison is using contentbox-admin:modules.execute as a base to compare to.

Here is the JSON (exported via UI) of that rule: (as graphic to avoid comment UI issues)

image744×481 36.2 KB

In the end, it looks to me like it won’t matter WHAT I put in that whitelist field. But that first rule kicks in and is what’s sending me to the login. I have no idea how to resolve this.

(Added some slashes to the get the * to show up in the JSON at the top.) The commenting UI isn’t great for JSON.

(Also, tried to attach the entire rules export, but .json isn’t in the allowed extensions, which appear to be primarily graphics formats.)

You’re probably right about the event-based (not URL-based) security rules.

For pasting JSON config, try using triple-backticks:

```

like:

[
    {
            "whitelist": "login",
            "securelist": ".+",
            "match": "url",
            "roles": "User",
            "permissions": "myApp:Login",
            "redirect": "login",
            "useSSL": true
    }
]

Here’s everything:

[
	{
		"securelist": "^contentbox-admin:modules\\..*",
		"redirect": "cbadmin/security/login",
		"createdDate": "February, 18 2021 20:53:24 -0700",
		"isDeleted": false,
		"permissions": "MODULES_ADMIN",
		"roles": "",
		"match": "event",
		"modifiedDate": "April, 01 2021 13:50:05 -0600",
		"whitelist": ".*madmin.search.quickRebuild$",
		"ruleID": 1,
		"useSSL": false,
		"order": 1
	},
	{
		"securelist": "^contentbox-admin:mediamanager\\..*",
		"redirect": "cbadmin/security/login",
		"createdDate": "February, 18 2021 20:53:24 -0700",
		"isDeleted": false,
		"permissions": "MEDIAMANAGER_ADMIN",
		"roles": "",
		"match": "event",
		"modifiedDate": "February, 18 2021 20:53:24 -0700",
		"whitelist": "",
		"ruleID": 2,
		"useSSL": false,
		"order": 1
	},
	{
		"securelist": "^contentbox-admin:versions\\.(remove)",
		"redirect": "cbadmin/security/login",
		"createdDate": "February, 18 2021 20:53:24 -0700",
		"isDeleted": false,
		"permissions": "VERSIONS_DELETE",
		"roles": "",
		"match": "event",
		"modifiedDate": "February, 18 2021 20:53:24 -0700",
		"whitelist": "",
		"ruleID": 3,
		"useSSL": false,
		"order": 1
	},
	{
		"securelist": "^contentbox-admin:versions\\.(rollback)",
		"redirect": "cbadmin/security/login",
		"createdDate": "February, 18 2021 20:53:24 -0700",
		"isDeleted": false,
		"permissions": "VERSIONS_ROLLBACK",
		"roles": "",
		"match": "event",
		"modifiedDate": "February, 18 2021 20:53:24 -0700",
		"whitelist": "",
		"ruleID": 4,
		"useSSL": false,
		"order": 1
	},
	{
		"securelist": "^contentbox-admin:widgets\\.(remove|upload|edit|save|create|doCreate)$",
		"redirect": "cbadmin/security/login",
		"createdDate": "February, 18 2021 20:53:24 -0700",
		"isDeleted": false,
		"permissions": "WIDGET_ADMIN",
		"roles": "",
		"match": "event",
		"modifiedDate": "February, 18 2021 20:53:24 -0700",
		"whitelist": "",
		"ruleID": 5,
		"useSSL": false,
		"order": 2
	},
	{
		"securelist": "^contentbox-admin:tools\\.(importer|doImport)",
		"redirect": "cbadmin/security/login",
		"createdDate": "February, 18 2021 20:53:24 -0700",
		"isDeleted": false,
		"permissions": "TOOLS_IMPORT",
		"roles": "",
		"match": "event",
		"modifiedDate": "February, 18 2021 20:53:24 -0700",
		"whitelist": "",
		"ruleID": 6,
		"useSSL": false,
		"order": 3
	},
	{
		"securelist": "^contentbox-admin:(settings|permissions|roles|securityRules)\\..*",
		"redirect": "cbadmin/security/login",
		"createdDate": "February, 18 2021 20:53:24 -0700",
		"isDeleted": false,
		"permissions": "SYSTEM_TAB",
		"roles": "",
		"match": "event",
		"modifiedDate": "February, 18 2021 20:53:24 -0700",
		"whitelist": "",
		"ruleID": 7,
		"useSSL": false,
		"order": 4
	},
	{
		"securelist": "^contentbox-admin:settings\\.save",
		"redirect": "cbadmin/security/login",
		"createdDate": "February, 18 2021 20:53:24 -0700",
		"isDeleted": false,
		"permissions": "SYSTEM_SAVE_CONFIGURATION",
		"roles": "",
		"match": "event",
		"modifiedDate": "February, 18 2021 20:53:24 -0700",
		"whitelist": "",
		"ruleID": 8,
		"useSSL": false,
		"order": 5
	},
	{
		"securelist": "^contentbox-admin:settings\\.(raw|saveRaw|flushCache|flushSingletons|mappingDump|viewCached|remove)",
		"redirect": "cbadmin/security/login",
		"createdDate": "February, 18 2021 20:53:24 -0700",
		"isDeleted": false,
		"permissions": "SYSTEM_RAW_SETTINGS",
		"roles": "",
		"match": "event",
		"modifiedDate": "February, 18 2021 20:53:24 -0700",
		"whitelist": "",
		"ruleID": 9,
		"useSSL": false,
		"order": 6
	},
	{
		"securelist": "^contentbox-admin:securityRules\\.(remove|save|changeOrder|apply)",
		"redirect": "cbadmin/security/login",
		"createdDate": "February, 18 2021 20:53:24 -0700",
		"isDeleted": false,
		"permissions": "SECURITYRULES_ADMIN",
		"roles": "",
		"match": "event",
		"modifiedDate": "February, 18 2021 20:53:24 -0700",
		"whitelist": "",
		"ruleID": 10,
		"useSSL": false,
		"order": 7
	},
	{
		"securelist": "^contentbox-admin:roles\\.(remove|removePermission|save|savePermission)",
		"redirect": "cbadmin/security/login",
		"createdDate": "February, 18 2021 20:53:24 -0700",
		"isDeleted": false,
		"permissions": "ROLES_ADMIN",
		"roles": "",
		"match": "event",
		"modifiedDate": "February, 18 2021 20:53:24 -0700",
		"whitelist": "",
		"ruleID": 11,
		"useSSL": false,
		"order": 8
	},
	{
		"securelist": "^contentbox-admin:permissions\\.(remove|save)",
		"redirect": "cbadmin/security/login",
		"createdDate": "February, 18 2021 20:53:24 -0700",
		"isDeleted": false,
		"permissions": "PERMISSIONS_ADMIN",
		"roles": "",
		"match": "event",
		"modifiedDate": "February, 18 2021 20:53:24 -0700",
		"whitelist": "",
		"ruleID": 12,
		"useSSL": false,
		"order": 9
	},
	{
		"securelist": "^contentbox-admin:dashboard\\.reload",
		"redirect": "cbadmin/security/login",
		"createdDate": "February, 18 2021 20:53:24 -0700",
		"isDeleted": false,
		"permissions": "RELOAD_MODULES",
		"roles": "",
		"match": "event",
		"modifiedDate": "February, 18 2021 20:53:24 -0700",
		"whitelist": "",
		"ruleID": 13,
		"useSSL": false,
		"order": 10
	},
	{
		"securelist": "^contentbox-admin:pages\\.(changeOrder|remove)",
		"redirect": "cbadmin/security/login",
		"createdDate": "February, 18 2021 20:53:24 -0700",
		"isDeleted": false,
		"permissions": "PAGES_ADMIN",
		"roles": "",
		"match": "event",
		"modifiedDate": "February, 18 2021 20:53:24 -0700",
		"whitelist": "",
		"ruleID": 14,
		"useSSL": false,
		"order": 11
	},
	{
		"securelist": "^contentbox-admin:themes\\.(remove|upload|rebuildRegistry|activate)",
		"redirect": "cbadmin/security/login",
		"createdDate": "February, 18 2021 20:53:24 -0700",
		"isDeleted": false,
		"permissions": "THEME_ADMIN",
		"roles": "",
		"match": "event",
		"modifiedDate": "February, 18 2021 20:53:24 -0700",
		"whitelist": "",
		"ruleID": 15,
		"useSSL": false,
		"order": 12
	},
	{
		"securelist": "^contentbox-admin:entries\\.(quickPost|remove)",
		"redirect": "cbadmin/security/login",
		"createdDate": "February, 18 2021 20:53:24 -0700",
		"isDeleted": false,
		"permissions": "ENTRIES_ADMIN",
		"roles": "",
		"match": "event",
		"modifiedDate": "February, 18 2021 20:53:24 -0700",
		"whitelist": "",
		"ruleID": 16,
		"useSSL": false,
		"order": 13
	},
	{
		"securelist": "^contentbox-admin:contentStore\\.(editor|remove|save)",
		"redirect": "cbadmin/security/login",
		"createdDate": "February, 18 2021 20:53:24 -0700",
		"isDeleted": false,
		"permissions": "CONTENTSTORE_ADMIN",
		"roles": "",
		"match": "event",
		"modifiedDate": "February, 18 2021 20:53:24 -0700",
		"whitelist": "",
		"ruleID": 17,
		"useSSL": false,
		"order": 14
	},
	{
		"securelist": "^contentbox-admin:comments\\.(doStatusUpdate|editor|moderate|remove|save|saveSettings)",
		"redirect": "cbadmin/security/login",
		"createdDate": "February, 18 2021 20:53:24 -0700",
		"isDeleted": false,
		"permissions": "COMMENTS_ADMIN",
		"roles": "",
		"match": "event",
		"modifiedDate": "February, 18 2021 20:53:24 -0700",
		"whitelist": "",
		"ruleID": 18,
		"useSSL": false,
		"order": 15
	},
	{
		"securelist": "^contentbox-admin:categories\\.(remove|save)",
		"redirect": "cbadmin/security/login",
		"createdDate": "February, 18 2021 20:53:24 -0700",
		"isDeleted": false,
		"permissions": "CATEGORIES_ADMIN",
		"roles": "",
		"match": "event",
		"modifiedDate": "February, 18 2021 20:53:24 -0700",
		"whitelist": "",
		"ruleID": 19,
		"useSSL": false,
		"order": 16
	},
	{
		"securelist": "^contentbox-admin:authors\\.(remove|removePermission|savePermission|doPasswordReset|new|doNew)",
		"redirect": "cbadmin/security/login",
		"createdDate": "February, 18 2021 20:53:24 -0700",
		"isDeleted": false,
		"permissions": "AUTHOR_ADMIN",
		"roles": "",
		"match": "event",
		"modifiedDate": "February, 18 2021 20:53:24 -0700",
		"whitelist": "",
		"ruleID": 20,
		"useSSL": false,
		"order": 17
	},
	{
		"securelist": "^contentbox-admin:.*",
		"redirect": "cbadmin/security/login",
		"createdDate": "February, 18 2021 20:53:24 -0700",
		"isDeleted": false,
		"permissions": "CONTENTBOX_ADMIN",
		"roles": "",
		"match": "event",
		"modifiedDate": "March, 30 2021 10:44:43 -0600",
		"whitelist": "^contentbox-admin:security\\.",
		"ruleID": 21,
		"useSSL": false,
		"order": 18
	},
	{
		"securelist": "^contentbox-filebrowser:.*",
		"redirect": "cbadmin/security/login",
		"createdDate": "February, 18 2021 20:53:24 -0700",
		"isDeleted": false,
		"permissions": "MEDIAMANAGER_ADMIN",
		"roles": "",
		"match": "event",
		"modifiedDate": "February, 18 2021 20:53:24 -0700",
		"whitelist": "",
		"ruleID": 22,
		"useSSL": false,
		"order": 19
	},
	{
		"securelist": "^contentbox-admin:(authors|categories|permissions|roles|settings|pages|entries|contentStore|securityrules)\\.importAll$",
		"redirect": "cbadmin/security/login",
		"createdDate": "February, 18 2021 20:53:24 -0700",
		"isDeleted": false,
		"permissions": "TOOLS_IMPORT",
		"roles": "",
		"match": "event",
		"modifiedDate": "February, 18 2021 20:53:24 -0700",
		"whitelist": "",
		"ruleID": 23,
		"useSSL": false,
		"order": 20
	},
	{
		"securelist": "^contentbox-admin:(authors|categories|permissions|roles|settings|pages|entries|contentStore|securityrules)\\.(export|exportAll)$",
		"redirect": "cbadmin/security/login",
		"createdDate": "February, 18 2021 20:53:24 -0700",
		"isDeleted": false,
		"permissions": "TOOLS_EXPORT",
		"roles": "",
		"match": "event",
		"modifiedDate": "February, 18 2021 20:53:24 -0700",
		"whitelist": "",
		"ruleID": 24,
		"useSSL": false,
		"order": 20
	}
]

I see what you’re saying about the cbadmin modules.execute event. The cbadmin/module/madmin/search/quickRebuild route is being proxied through cbadmin/module/execute, which means this probably cannot be solved by any cbSecurity rule I can think of. Probably more of a ContentBox question after all. Sorry.

For utility tasks like that, you may want to put it in a separate module that does not need to go through ContentBox. Or perhaps write an onRequestCapture interceptor which logs in a dummy “Utility” user so cbSecurity recognizes the current event/user as authenticated?

Please don’t take the above as ContentBox advice, because I’m really not an expert. It’s just an idea or two.

Oh - and I guess this is not a cbSecurity issue in the end, but there are a bunch of cbSecurity videos on CFCasts which may help you “clue it in” a bit.

Definitely a tricky proposition. Maybe one of the Ortus guys will chime in on how you can whitelist an event that is inside a Contentbox module.

Thanks for your help, Michael.

The issue is that you are executing a cbadmin module event. Meaning tthat you MUST be logged in in order to execute it. Even if you whitelist it, the admin module is the one that executes the module for you since you are passing it via the admin entry point. This is by design, so that any module executing within the context of COntentbox will be secure by default.

With that said, if you want to avoid that, then you will need to setup an entry point on your module, and add appropriate routes, so it can be discoverable via the normal ColdBox routing and execute it via the normal ColdBox module route.

Yeah, as to the entry point, was struggling with that, too. I set it up to /madmin, but … it doesn’t work at [site.com]/madmin that’s for certain. That entry point only works as a handler path once in the admin. So I had to setup an interceptor to even build links. As in [site.com]/cbadmin/module/madmin/home

The interceptor, I’m doing this:

		prc.madmin.rootLink = '/cbadmin/module/madmin';  // for links
		prc.madmin.rootSource = '/modules/contentbox/modules_user/madmin';   // for other stuffs

Then I can build links off them. This doesn’t work:

		href="/cbadmin:madmin/home"  (or madmin.home)

The errors, though, are those ASP.net’ish error looks (via IIS), so the colon might be throwing it off. But I couldn’t find any functions that would give me what I needed.

Anyway, I see your point, @lmajano , about “all of cbadmin” requiring a login, that makes sense. Truth is, with the “Contentbox take over everything mode” (that I quit trying to fight), I ended up deleting all my root views and handlers. I simply didn’t need them, nor would they even work.

The truth is, for what I need, if I completely eliminated my services, etc. I can just throw into a straight CFM file. What I did, though, today instead of trying to fight the security, I tied into the Contentbox interception points to fire the reindexing of my Lucene collection:

image787×761 74.8 KB

Hopefully this will reduce the need for the scheduled task. And I threaded it to reduce the delay in saving pages in the CB UI.

Still, even with the “flaws” I’m coming across, Contentbox is awesome. And you KNOW I love Coldbox. (Except for “interfaces”, bwah ha ha. Inside joke for future readers.) You and your team have done awesome stuff, man.

Come to think of it, you can also create a module that is outside of contentbox so you manage it. This way, you have full control of it just like a normal ColdBox module. even in take over mode it will work. However, I will investigate further of how to allow this in ContentBox 5.

@lmajano I’ll probably do what you suggested for using a module outside of Contentbox. I have one already, and it’s search-stuff-related, so it’s a good fit. Not sure why I didn’t think about it before.