[Flow] The confusing policy role stuff

Steffen Wickham steffen at gaming-inc.de
Wed Feb 12 00:27:36 CET 2014 

Hello Jan,

please see my answers below your specific question :)



Am 11.02.2014 22:48, schrieb Jan Greth:
> Hey Aimo,
>
> thanks for your reply. I'll give it a try.
>
>> First of all: make everything that should be protected a resource.
>> E.g.
>>
>> resources:
>>    methods:
>>      'Foo':
>> 'method(Vendor\Package\Controller\CoffeeBeanController->(index|show)Action())'
>>      'Bar':
>> 'method(Vendor\Package\Controller\CoffeeBeanController->(new|create|edit|update|delete)Action())'
>>
>
> Ok, just to clarify my confused mind: an action / controller / etc NOT
> mentioned under "resources: methods:" is NOT protected and allways
> callable. Is that right?
That's correct. You have to tell Flow which resources have to be
protected through a declaration like the one above. Does a Controller or
method not match any defined resource, it is meant as public access and
access will be grant to Everybody.


> Wire users and resources via the ACLs
>>
>> acls:
>>    ' DefaultUser ':
>>      methods:
>>        'Foo':       GRANT
>>    ' AdvancedUser ':
>>      methods:
>>        'Bar':    GRANT
>
> Are the singlequotes (" ' ") around DefaultUser, AdvancedUser, Foo and
> Bar needed? couldn't find a hint in the Docs...
Nope, please remove the quotes, they are not necessary.


>
> And as allways when diggin' into new things during the last minutes
> ther appeared some further questions:
>
> 1. Are there / which options in Settings.yaml have effects on the
> Settings made in Policy.yaml?
Please have a look in the main Settings.yaml delivered with TYPO3.Flow
below "TYPO3: Flow: security" would affect the whole security party of
Flow. The only options which will affect Policy.yaml directly is
"enable" (line 226) and "allowAccessIfAllVotersAbstain" (line 309) IMHO.
With security you could disable all security features, with the
"allowAccessIfAllVotersAbstain" you can allow access to secured methods,
when one or more voter abstain to vote for a potential insecure call.


>
> 2. Can a Action be mentioned more than one time in resources:methods: ?
> E.g.:
> One: 'method(Vendor\Package\Controller\.*Controller->index.*())'
> Two: 'method(Vendor\Package\Controller\AbcController->.*Action())'
> What happens to AbcController->indexAction() if i 'GRANT' One and
> 'DENY' Two?
Yes, you can add multiple resource definitions which covers the same
method, but it can get complicated. I hadn't tried it by myself till now.
The answer to your second question is pretty simple: Access will be
denied (even when there were more GRANT items then DENY).

A quote from
http://docs.typo3.org/flow/TYPO3FlowDocumentation/TheDefinitiveGuide/PartIII/Security.html#policies-aka-access-control-lists-acls:
"If a DENY privilege is configured for one of the user's roles, access
will be denied
no matter how many grant privileges there are in other roles."

When you want to prevent executing 'two' for normal users, just do not
add a GRANT statement for their the role (=> access will be denied). For
a special role you add the GRANT statement and it can be accessed.
So be careful using DENY, it is IMHO only useful for resource
definitions which checks parameters as well. A perfect resource will be
the Policy.yaml from TYPO3.Neos Package:
https://git.typo3.org/Packages/TYPO3.Neos.git/blob/HEAD:/Configuration/Policy.yaml


> 3. Assuming i have the roles User: [] and Superuser: ['User']
> User should be denied to access a method, Superuser should be able to
> call. How would i write that?
resources:
  methods:
    Vendor_Package_SpecialOfferController:
'method(Vendor\Package\Controller\SpecialOfferController->.*Action())'

roles:
  User: []
  Superuser: [User]

acls:
  Superuser:
    methods:
      Vendor_Package_SpecialOfferController: GRANT


>
> 4. Is it necessary/good/not good to Configure Firewall AND ACLs? Under
> which circumstances would you do what?
I think there is no "good" or "bad" in general. You can add firewall
rules beside your ACLs, that's fine. But keep in mind: Every new rule
will make it more complicated to maintain and debug access rules.

>
> I hope you can help me with this again. Nice evening and greetings
> from Bavaria,
> Jan

Have a nice morning and many greetings from Lower-Saxony,
Steffen :)

More information about the Flow mailing list