[Flow] Content Restriction for Accounts

Christian Loock chl at vkf-renzel.de
Thu Aug 29 08:38:12 CEST 2013 

Hi,

did you check your Data/Logs/Security_Development.log for any hints?

Greetings,

Christian

Am 29.08.2013 08:36, schrieb Christian Essl:
> Hi,
>
> Thanks for the answer. The bad formatting of my yaml-configuration is because I posted my question via forum.typo3.org. It looks like some of the linebreaks were stripped of when it was sent via email.
>
> I now tried flushing the cache and using doctrine:update right after I changed the policies, but with no effect. The rule I am using is:
>
> --------------------------------
>    entities:
>      'TYPO3\Flow\Security\Account':
>        TYPO3_Flow_Account_Admin: 'ANY'
>        TYPO3_Flow_Account_Me: 'current.securityContext.account == this && this != NULL'
>
> # TYPO3_Flow_Account_Admin => used by Administrator
> # TYPO3_Flow_Account_Me => used by Editor
> --------------------------------
>
> Because I am testing against the 'TYPO3\Flow\Security\Account' model, "this" should give me back an account object, right? So normally this rule should be correct?
>
> -----Ursprüngliche Nachricht-----
> Von: flow-bounces at lists.typo3.org [mailto:flow-bounces at lists.typo3.org] Im Auftrag von Bjoern Haverland
> Gesendet: Mittwoch, 28. August 2013 20:16
> An: TYPO3 Flow mailing list
> Betreff: Re: [Flow] Content Restriction for Accounts
>
> And take care of the format of your yaml files.
>
> This is wrong:
>
> -----------------------------------------------------------------------------------------------
>
> resources:
>    entities:
>      TYPO3\Flow\Security\Account:
>        TYPO3_Flow_Account_Admin: 'ANY'
>        TYPO3_Flow_Account_Me: 'current.securityContext.account == this'
> roles:
>    SimpleUser: []  Editor: [SimpleUser]  Administrator: [Editor]   acls:
>    Editor:    entities:
>        TYPO3_Flow_Account_Me: GRANT
>    Administrator:
>      entities:
>        TYPO3_Flow_Account_Admin: GRANT
> -----------------------------------------------------------------------------------------------
>
>
> It should look like this:
>
> -----------------------------------------------------------------------------------------------
>
> roles:
>     SimpleUser: []
>     Editor: [SimpleUser]
>     Administrator: [Editor]
>
> resources:
>     entities:
>       '\TYPO3\Flow\Security\Account':
>         TYPO3_Flow_Account_Admin: 'ANY'
>         TYPO3_Flow_Account_Me: 'current.securityContext.account == this'
>
> acls:
>     Editor:
>       entities:
>        TYPO3_Flow_Account_Me: GRANT
>     Administrator:
>       entities:
>         TYPO3_Flow_Account_Admin: GRANT
> -----------------------------------------------------------------------------------------------
>
>
> __Quickstart Guide:
>
> If you are not familiar with the YAML format yet, there are two things you should know at least:
>
>    * Indentation has a meaning: by different levels of indentation, a
>      structure is defined.
>    * Spaces, not tabs: you must indent with exactly 2 spaces per level,
>      don't use tabs.
>
> __
>
>
> Best regards
>
> Björn
>
> Am 28.08.2013 19:57, schrieb Bjoern Haverland:
>> Hi Christian,
>>
>> for me it works as expected.
>>
>> Is this one rule:?
>>
>> 'this.title == "Foo"', 'this.hidden == TRUE', 'TRUE == TRUE"'
>>
>> Then I think you should use && or ||  and so on for the logic.
>>
>> Maybe you should clear your caches and do a doctrine:update.
>> I also have had a problem with this because my changes haven´t been
>> used without clearing the cache. After this and a doctrine:update the
>> typo3_flow_security_policy_role table was filled with my roles => my
>> rules are working.
>>
>> Best regards
>>
>> Björn
>>
>>
>>
>> Am 28.08.2013 14:52, schrieb Christian Eßl:
>>> I tested around with other models and it looks like in TYPO3 Flow 2.0
>>> content security doesn't work at all. At least not as it is described
>>> in the docs:
>>> http://docs.typo3.org/flow/TYPO3FlowDocumentation/TheDefinitiveGuide/
>>> PartIII/Security.html#content-security
>>>
>>>
>>> As soon as I write a rule like 'this.title == "Foo"', 'this.hidden ==
>>> TRUE', 'TRUE == TRUE"' and add it a role in my acl, I just get empty
>>> lists with this role, even though there are objects, that accomplish
>>> these rules. It doesn't even matter what I write in the rules.
>>>
>>> Can anyone confirm this? Then what is the suggested way to do content
>>> security in TYPO3 Flow 2.0?
>>> _______________________________________________
>>> Flow mailing list
>>> Flow at lists.typo3.org
>>> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow
>>>
>> _______________________________________________
>> Flow mailing list
>> Flow at lists.typo3.org
>> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow
>>
> _______________________________________________
> Flow mailing list
> Flow at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow
> _______________________________________________
> Flow mailing list
> Flow at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow

More information about the Flow mailing list