[FLOW3-general] Object Security
Bernhard Fischer
bernhard at fischli.org
Tue Nov 8 23:13:22 CET 2011
Hi Pankaj,
thanks for your advice! This could be, in addition to my existing
solution, the right way to deny unauthorized access as a last resort.
I'll give it a try.
On 11/08/2011 10:41 PM, Pankaj Lele wrote:
> Hello Bernhard,
>
> You can go with the thread [1] which was discussed last week already
> about this matters.
>
> [1] http://lists.typo3.org/pipermail/flow3-general/2011-November/001450.html
>
>
>> Hi everybody,
>>
>> I'm not sure how to implement ACL's on an object level. I do have
>> structured data (like a tree) and I want to restrict access only to
>> objects with matching owner properties. At the moment I'm using user
>> constrained queries to the repositories. Working this way I don't have
>> to care about the rendering process inside the view, because the user
>> will only get data he is allowed to see.
>>
>> So far, so good. But that's kind of security by obscurity.
>>
>> Anyone out there with another approach?
>>
>> BTW: I have to do a
>> $this->authenticationManager->getSecurityContext()->clearContext()
>> to completely logout the current user
>> $this->authenticationManager->logout()
>> is not enough because otherwise
>> $this->authenticationManager->getSecurityContext()->getAccount()->getAccountIdentifier()
>>
>> still returns the last useridentifier which I'm using for my queries?!?
>> Maybe I should implement it in a different way?
>>
>> I'm grateful for any hint
>> Bernhard
>>
>
>
More information about the FLOW3-general
mailing list