[FLOW3-general] Object Security
Ferdinand Kuhl
fcool at coolys.de
Wed Nov 9 14:36:07 CET 2011
Hi Bernhard,
try it like documented (so the documentation is a bit small there).
While working with Policy.yaml (and entity - restrictions) some tips:
Keep in mind that rules like
this.owner == current.securityContext.party
will be denied. What you probably want will be:
\Model\YourEntity:
ForeignEntities: this.owner != current.securityContext.party
All Roles without explicit GRANT-Rule in their ACL-Section will be
denied all entities which match the above rule (so just their own
ones).
Additionally I hit some bugs with content security. Fine, if it works
for you. If not, youll find patches for this problem at:
https://review.typo3.org/#change,6596
Greetz,
Ferdinand
Bernhard Fischer wrote:
> Hi Pankaj,
>
> thanks for your advice! This could be, in addition to my existing
> solution, the right way to deny unauthorized access as a last
resort.
> I'll give it a try.
>
> On 11/08/2011 10:41 PM, Pankaj Lele wrote:
>> Hello Bernhard,
>>
>> You can go with the thread [1] which was discussed last week
already
>> about this matters.
>>
>> [1]
>> [http://lists.typo3.org/pipermail/flow3-general/2011-
November/001450.html
>>
>>
>>> Hi everybody,
>>>
>>> I'm not sure how to implement ACL's on an object level. I do have
>>> structured data (like a tree) and I want to restrict access only
to
>>> objects with matching owner properties. At the moment I'm using
user
>>> constrained queries to the repositories. Working this way I don't
have
>>> to care about the rendering process inside the view, because the
user
>>> will only get data he is allowed to see.
>>>
>>> So far, so good. But that's kind of security by obscurity.
>>>
>>> Anyone out there with another approach?
>>>
>>> BTW: I have to do a
>>> $this->authenticationManager->getSecurityContext()->clearContext()
>>> to completely logout the current user
>>> $this->authenticationManager->logout()
>>> is not enough because otherwise
>>> $this->authenticationManager->getSecurityContext()->getAccount()-
>getAccountIdentifier()
>>>
>>> still returns the last useridentifier which I'm using for my
queries?!?
>>> Maybe I should implement it in a different way?
>>>
>>> I'm grateful for any hint
>>> Bernhard
>>>
>>
>>
More information about the FLOW3-general
mailing list