[FLOW3-general] Object Security
Bernhard Fischer
bernhard at fischli.org
Wed Nov 9 15:06:17 CET 2011
Hi Ferdinand,
after digging trough PersistenceQueryRewritingAspect I already got it. I
would call "a bit small" as a big understatement ;-)
Missing explicit rules caused some trouble to me.
Thanks for the hint
Bernhard
On 11/09/2011 02:36 PM, Ferdinand Kuhl wrote:
> Hi Bernhard,
>
> try it like documented (so the documentation is a bit small there).
> While working with Policy.yaml (and entity - restrictions) some tips:
> Keep in mind that rules like
> this.owner == current.securityContext.party
>
> will be denied. What you probably want will be:
> \Model\YourEntity:
> ForeignEntities: this.owner != current.securityContext.party
>
> All Roles without explicit GRANT-Rule in their ACL-Section will be
> denied all entities which match the above rule (so just their own
> ones).
>
> Additionally I hit some bugs with content security. Fine, if it works
> for you. If not, youll find patches for this problem at:
> https://review.typo3.org/#change,6596
>
> Greetz,
> Ferdinand
>
> Bernhard Fischer wrote:
>
>> Hi Pankaj,
>>
>> thanks for your advice! This could be, in addition to my existing
>> solution, the right way to deny unauthorized access as a last
> resort.
>> I'll give it a try.
>>
>> On 11/08/2011 10:41 PM, Pankaj Lele wrote:
>>> Hello Bernhard,
>>>
>>> You can go with the thread [1] which was discussed last week
> already
>>> about this matters.
>>>
>>> [1]
>>> [http://lists.typo3.org/pipermail/flow3-general/2011-
> November/001450.html
>>>
>>>
>>>> Hi everybody,
>>>>
>>>> I'm not sure how to implement ACL's on an object level. I do have
>>>> structured data (like a tree) and I want to restrict access only
> to
>>>> objects with matching owner properties. At the moment I'm using
> user
>>>> constrained queries to the repositories. Working this way I don't
> have
>>>> to care about the rendering process inside the view, because the
> user
>>>> will only get data he is allowed to see.
>>>>
>>>> So far, so good. But that's kind of security by obscurity.
>>>>
>>>> Anyone out there with another approach?
>>>>
>>>> BTW: I have to do a
>>>> $this->authenticationManager->getSecurityContext()->clearContext()
>>>> to completely logout the current user
>>>> $this->authenticationManager->logout()
>>>> is not enough because otherwise
>>>> $this->authenticationManager->getSecurityContext()->getAccount()-
>> getAccountIdentifier()
>>>>
>>>> still returns the last useridentifier which I'm using for my
> queries?!?
>>>> Maybe I should implement it in a different way?
>>>>
>>>> I'm grateful for any hint
>>>> Bernhard
More information about the FLOW3-general
mailing list