Created
November 25, 2021 12:03
-
-
Save bwaidelich/4e0898744bc7481b933a20f8657c1311 to your computer and use it in GitHub Desktop.
Example of a Flow policy that respects method parameters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Concrete assignments from roles to privileges can happen in your global /Configuration/Policy.yaml file | |
roles: | |
'Some.Distribution:Administrator': | |
privileges: | |
- privilegeTarget: 'Some.Package:AccessAnyProduct' | |
permission: GRANT | |
'Some.Distribution:User': | |
privileges: | |
- privilegeTarget: 'Some.Package:AccessOwnedProducts' | |
permission: GRANT |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
declare(strict_types=1); | |
namespace Some\Package\Security; | |
use Neos\Cache\CacheAwareInterface; | |
use Neos\Flow\Annotations as Flow; | |
use Neos\Flow\Security\Context as SecurityContext; | |
/** | |
* @Flow\Scope("singleton") | |
*/ | |
final class AuthenticationContext implements CacheAwareInterface | |
{ | |
private SecurityContext $securityContext; | |
public function __construct(SecurityContext $securityContext, ProductRepository $productRepository) | |
{ | |
$this->securityContext = $securityContext; | |
$this->productRepository = $productRepository; | |
} | |
public function getOwnedProjectIds(): array | |
{ | |
// TODO: consider using runtime caches | |
$account = $this->securityContext->getAccount(); | |
if ($account === null) { | |
return []; | |
} | |
return $this->productRepository->fetchProductIdsByUser(UserId::fromAccount($account)); | |
} | |
public function getCacheEntryIdentifier(): string | |
{ | |
return sha1(json_encode($this->getOwnedProjectIds())); | |
} | |
} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
privilegeTargets: | |
'Neos\Flow\Security\Authorization\Privilege\Method\MethodPrivilege': | |
# Denylist for the public ProductService methods (disallow all public methods by default) | |
# This will lead to an ABSTAIN by default and now policy should change that! | |
'Some.Package:ProductService.Denylist': | |
matcher: 'within(Some\Package\ProductService) && method(public .*->(?!__construct).*())' | |
# Access details of a product owned and assigned to any user (relevant for administrators) | |
'Some.Package:AccessAnyProduct': | |
matcher: 'method(Some\Package\ProductService->getProductById())' | |
# Access details of products owned by the authenticated user | |
'Some.Package:AccessOwnedProducts': | |
matcher: 'method(Some\Package\ProductService->getProductById(id in current.productContext.ownedProductIds))' | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Neos: | |
Flow: | |
aop: | |
globalObjects: | |
'productContext': 'Some\Package\Security\AuthenticationContext' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment