[FLOW3-general] Roles question
"Christian Müller (Kitsunet)"
christian.mueller at typo3.org
Fri Jan 20 09:40:58 CET 2012
Hi,
if you neither DENY nor ALLOW the result will be denial, so with that in
mind it shouldn't be a problem to add a "Authenticated" role to all
accounts and allow it whatever should be allowed for any authenticated
users but not for everybody.
Thus non authenticated visitors should be denied as nothing was
specified for them.
Christian
On 20/01/12 05:10, Zachary Davis wrote:
> I spent some time reviewing how FLOW3 handles ACLs today. I can see that
> FLOW3 considers all users as belonging to the "everybody" role. However,
> that role doesn't seem to be very useful, since if I deny Everybody
> anything, then, well, everybody will be denied access ;)
>
> Is there an easy way, then, to add all users who are _not_ authenticated
> to a default role? It's not uncommon, for example, to have a controller
> class that should only be accessible to authenticated users. If FLOW3
> assigned users to a "nobody" role (which is different from an everybody
> group), I could write policy based on that instead of checking for
> authentication in my controllers.
>
> Or, am I missing something?
>
> Zach
More information about the FLOW3-general
mailing list