[Flow] How to build a SaaS Service?

Dominique Feyer dfeyer at ttree.ch
Tue Feb 25 00:08:18 CET 2014 

Our setup, really simplified, is the following:

1. We use an aspect to add a method
\TYPO3\Flow\Security\Context::getCurrentClient() who return the current
client domain model objet (based on the current HTTP request)
3. Each Domain Object that need to be "private", must have a property owner
(a relation to our entity representing the client), we use
@Foo\PrivateObject to identify all those private objects (and a other
aspect to inject the property and methods in our domain models, to avoid
code duplication)
4. In out Policy.yaml we add, something like this (without any grants for
the PrivateObject):

  entities:
    'Ttree\Medialib\Core\Domain\Model\Advice':
      PrivateObject:         'current.securityContext.domain != this.owner'

Now you have a flow application that limit access to private object based
on the current request domain name ;) If you need to protect an entity,
just add one class annotation, and it's a private object.

There is some point to care of:

1. Security policy is not applied on DQL (currently it's a good thing
because we use DQL for multi client operation, cleanup, DO to XML, backup,
...)

2. Security policy is not applied to relations, can be tricky, but if you
only limit access to private object, it's not a big problem, has the user
will only add their own private object in a relation.

3. You need some really crappy hack in CLI command controller ... because
you don't have an HTTP request here. You need some kind of service to be
able to change the "current" client domain name. And if you need to do some
operation on private object, you need to do those tasks, in foreach($client
as $client) loop or by disabling security check ... but in this case take
care of what you do ;)

But after a bit more than one year with this SaaS application in
production, we are really happy with the current setup, it perform well,
even on tables with >100'000 records and more.

The most difficult thing for use was to build some analytics tools that
graph date from all our client. First we start with DQL queries, but has
our data amount grow really fast, we move to ElasticSearch for all the
Analytics.


ttree sarl
Dominique Feyer
TYPO3 Addict
Rue du Valentin 34 et demi
CH - 1004 Lausanne
Téléphone +41 21 312 36 35
www.ttree.ch | twitter <http://twitter.com/ttreeagency> |
linkedin<http://www.linkedin.com/company/ttree/>
Plan d'accès: http://g.co/maps/4yu6t


2014-02-24 18:12 GMT+01:00 Axel Wüstemann <awu at qbus.de>:

>
>  but with some nice
>> aspect you can separate each domain nicely
>>
>
>
> Thnay you Dominique. It would be great if you could explaine this a bit
> deeper.
>
> Thanks
>
> Axel
>
> _______________________________________________
> Flow mailing list
> Flow at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow
>

More information about the Flow mailing list