[Flow] Entity Security: Pers. Query Rewriting vs. checkAccessAfterFetchingAnObjectByIdentifier
Adrian Föder
adrian at foeder.de
Wed Apr 2 11:29:56 CEST 2014
oh boy, I found it out... in short: I didn't had a getter on the
respective entity to return the Tenant...
Here's my bug report:
http://forge.typo3.org/issues/57541
-adrian
Am 31.03.2014 11:31, schrieb Adrian Föder:
> Morning everyone,
>
> especially Andi probably ;)
>
>
> I have the situation where I aspect'ed my Security Context to have a
> getTenant method which, you guess it, returns the current "Tenant" the
> logged in user "belongs" to.
>
> Additionally, I have [an] Entity which again has a `tenant` property
> (field).
>
> You guess again: I wanna only show the entities where the tenant matches.
>
> So for now, I have:
>
> entities:
> 'Acme\Bar\Domain\Model\Food':
> ForTenant: 'current.securityContext.tenant != this.tenant'
>
> When displaying these Foods in a list for example, the result is as
> expected, the appropriate SQL looks like
>
> SELECT [...] FROM acme_bar_domain_model_food p0_ WHERE NOT (NOT
> (p0_.tenant = ?))
>
> The double negation makes the result be the intended one: only those
> where the `tenant` field matches the current Tenant.
>
> On the other hand, when visiting the "showAction(Food $food)",
> \TYPO3\Flow\Security\Aspect\PersistenceQueryRewritingAspect::checkAccessAfterFetchingAnObjectByIdentifier
> kicks in and denies the access: it looks at
> 'current.securityContext.tenant != this.tenant' and returns FALSE (of
> course :-/) because the current Tenant IS, and SHOULD BE, the entity's
> tenant.
>
> Why is that different, what am I doing wrong and what should I do
> please? :)
>
>
> Thanks and best!
>
> Adrian
More information about the Flow
mailing list