[Flow] Entity Security: Pers. Query Rewriting vs. checkAccessAfterFetchingAnObjectByIdentifier
Adrian Föder
adrian at foeder.de
Mon Mar 31 11:31:56 CEST 2014
Morning everyone,
especially Andi probably ;)
I have the situation where I aspect'ed my Security Context to have a
getTenant method which, you guess it, returns the current "Tenant" the
logged in user "belongs" to.
Additionally, I have [an] Entity which again has a `tenant` property
(field).
You guess again: I wanna only show the entities where the tenant matches.
So for now, I have:
entities:
'Acme\Bar\Domain\Model\Food':
ForTenant: 'current.securityContext.tenant != this.tenant'
When displaying these Foods in a list for example, the result is as
expected, the appropriate SQL looks like
SELECT [...] FROM acme_bar_domain_model_food p0_ WHERE NOT (NOT
(p0_.tenant = ?))
The double negation makes the result be the intended one: only those
where the `tenant` field matches the current Tenant.
On the other hand, when visiting the "showAction(Food $food)",
\TYPO3\Flow\Security\Aspect\PersistenceQueryRewritingAspect::checkAccessAfterFetchingAnObjectByIdentifier
kicks in and denies the access: it looks at
'current.securityContext.tenant != this.tenant' and returns FALSE (of
course :-/) because the current Tenant IS, and SHOULD BE, the entity's
tenant.
Why is that different, what am I doing wrong and what should I do please? :)
Thanks and best!
Adrian
More information about the Flow
mailing list