[FLOW3-general] Security for persisted objects

[Peter Beernink]

Hi list,

I was just trying to implement some security on persisted objects, in 
order find objects which are of the currently logged in user.
So I tried to build a configuration according to the example displayed 
in [1], which unfortunately is not yet finished, but I was not able to 
get it working correctly.

In my Settings.yaml I currently have the following:

resources:
   methods:
...
   entities:
     My_Package_Domain_Model_Category:
       My_Package_MyCategories: this.owner == current.party
roles:
   RegistredUser: []
acls:
   RegistredUser:
     methods:
...
     entities:
       My_Package_MyCategories: GRANT

I've also tried to leave the entities part in the acl section out and 
change GRANT to DENY to see if that made any difference (and flushed the 
cache before each try).

I did some digging in the code and I found out that in the 
\TYPO3\FLOW3\Security\Aspect\PersistenceQueryRewritingAspect::rewriteQomQuery() 
a check is performed whether or not the securityContext is initialized. 
At that point the securityContext is not yet initialized, as the 
function returns there.

But as I'm logged in (the controller in which I'm testing this is only 
available when logged in) I would expect to have a securityContext.

Is this a misconfiguration somewhere on my side, or is there a bug in 
the security part?

Greets,

Peter

---
[1] 
http://flow3.typo3.org/fileadmin/manual/nightly/TheDefinitiveGuide/PartIII/Security.html#security-for-persisted-objects