[FLOW3-general] Feedback on using the security framework with resources

Wed Aug 29 10:03:04 CEST 2012

Hi all,

I experimented using the security framework with resources and have 
found it to be a really unsettling experience. The logic feels totally 
reversed, in particular when compared to applying a policy to methods.

Here's a description of my use case:

I'm trying to implement access-right control to a given model (named 
Cobweb\Monitoring\Domain\Model\Event).

The application has 3 roles: Administrator, Group1 and Group2.

I have added two boolean fields to the model for managing access called 
"visibleGroup1" and "visibleGroup2".

What I aim for for the roles:

- Administrators should see all objects
- Group1 should only see objects for which "visibleGroup1" is TRUE
- same for Group2 with "visibleGroup2"

My first try was the following:

resources:
   methods:
     (snip)
   entities:
     Cobweb_Monitoring_Domain_Model_Event:
       Cobweb_Monitoring_Events_All: 'ANY'
       Cobweb_Monitoring_Events_Group1: 'this.visibleGroup1 == TRUE'
       Cobweb_Monitoring_Events_Group2: 'this.visibleGroup2 == TRUE'
roles:
   Administrator: []
   Group1: []
   Group2: []
acls:
   Administrator:
     methods:
       (snip)
     entities:
       Cobweb_Monitoring_Events_All: GRANT
   Group1:
     methods:
       (snip)
     entities:
       Cobweb_Monitoring_Events_Group1: GRANT
   Group2:
     methods:
       (snip)
     entities:
       Cobweb_Monitoring_Events_Group2: GRANT

That seemed pretty logical: grant access to everything to admins, and 
restrict for groups according to the relevant flags. This did not work 
out at all. The two group conditions were always negated and applied. 
Using ABSTAIN did not help, as it has the same effect as DENY (which is 
rather unexpected IMO).

After digesting the (apparently) reversed logic, I finally came with the 
following solution:

resources:
   methods:
     (snip)
   entities:
     Cobweb_Monitoring_Domain_Model_Event:
       Cobweb_Monitoring_Events_NotGroup1: 'this.visibleGroup1 == FALSE'
       Cobweb_Monitoring_Events_NotGroup2: 'this.visibleGroup2 == FALSE'
roles:
   Administrator: []
   Group1: []
   Group2: []
acls:
   Administrator:
     methods:
       (snip)
     entities:
       Cobweb_Monitoring_Events_NotGroup1: GRANT
       Cobweb_Monitoring_Events_NotGroup2: GRANT
   Group1:
     methods:
       (snip)
     entities:
       Cobweb_Monitoring_Events_NotGroup2: GRANT
   Group2:
     methods:
       (snip)
     entities:
       Cobweb_Monitoring_Events_NotGroup1: GRANT

Since GRANTed conditions are ignored, they are all ignored for admins, 
who can see everything => fine.
For Group1, the rule for Group2 is GRANTed and thus ignored. The rule 
for Group1 is not mentioned and thus negated. But since it was a negated 
rule to start with, it ends up being equivalent to "this.visibleGroup1 
== TRUE" and thus gives me what I want.

I may have misunderstood the logic behind all this, but it feels really 
unsettling as it is now. I would really expect to be able to define 
rules as in my first policy example. Having to think in double negations 
is not very helpful. Or did I completely miss the point?

Cheers

-- 

Francois Suter
Cobweb Development Sarl - http://www.cobweb.ch