[Flow] Dynamically create Roles in Flow 3.0-beta1

Bastian Waidelich bastian at typo3.org
Fri May 8 13:22:50 CEST 2015 

On 08.05.15, at 07:12, Sascha Reule wrote:

Hi Sascha,


> Prior to Flow 3.0 there was a PolicyService in TYPO3\Flow\Security\Policy with the ability to create
> new Roles dynamically (via policyService->createRole('myNewRole') which adds the new Role to datebase).

You're right, with the new Security Framework, roles are no longer 
stored in the database.


> I've found the signal 'emitRolesInitialized()' [...]
> But with this approach I have to persist all my custom and dynamically created Roles

Correct, that signal can be used to register roles at runtime (as 
briefly mentioned in the documentation[1]).
You could connect to that signal via the following code in your Package.php:

/**
  * @param Bootstrap $bootstrap
  * @return void
  */
public function boot(Bootstrap $bootstrap) {
	$dispatcher = $bootstrap->getSignalSlotDispatcher();
	$dispatcher->connect(
		'TYPO3\Flow\Security\Policy\PolicyService', 'rolesInitialized',
		function (array &$roles) {
			$parentRole = new Role('Some.Parent:Role');
			$childRole = new Role('Some.Child:Role', [$parentRole]);
			$roles[$parentRole->getIdentifier()] = $parentRole;
			$roles[$childRole->getIdentifier()] = $childRole;
		}
	);
}

And those roles could come from the database, from LDAP or wherever.
An alternative could be to write a Policy.yaml file from the admin module:


$policy = $this->configurationSource->load(FLOW_PATH_CONFIGURATION . 
ConfigurationManager::CONFIGURATION_TYPE_POLICY);
$policy['roles'] = [
	'Some.Parent:Role' => [],
	'Some.Child:Role' => ['parentRoles' => ['Some.Parent:Role']]
];
$this->configurationSource->save(FLOW_PATH_CONFIGURATION . 
ConfigurationManager::CONFIGURATION_TYPE_POLICY, $policy);

$this->configurationManager->flushConfigurationCache();

(inject TYPO3\Flow\Configuration\ConfigurationManager and 
TYPO3\Flow\Configuration\Source\YamlSource)

But this might not be an option in your environment, and there are also 
some security related considerations to take into account.


*BUT*: The question is whether you really need to create roles on the 
fly. Roles are a really low level concept of your application - there 
should be no need for new roles at runtime. Probably what you want is 
something like a user *group* on top of roles.
The new ACL approach allows you to define a DSL to address not only 
methods but properties in your model.
For example imagine you have a user model and the administrator can 
assign a list of categories that should be editable by this user (or 
user group). You could write something like:

privilegeTargets:

 
'Acme\SomePackage\Security\Authorization\Privilege\EditDocumentPrivilege':
     'Acme.SomePackage:DocumentAdministration':

       matcher: 'documentIsInCategory(authenticatedUser.allowedCategories)'

Unfortunately it is not trivial to write those custom privileges (they 
contain little code mostly, but the concepts are not easy to grasp at 
first). If you want to go that route, having a look at the brand new 
documentation[1] might help and also a look into the (partly not yet 
officially supported) Node* Privileges of the TYPO3CR package[2].

Please report back if you need help and/or how that worked out for you 
and whether we need to improve the API here.

HTH

[1] 
http://docs.typo3.org/flow/TYPO3FlowDocumentation/latest/TheDefinitiveGuide/PartIII/Security.html#authentication-manager-and-provider

[2] 
https://git.typo3.org/Packages/TYPO3.TYPO3CR.git/tree/HEAD:/Classes/TYPO3/TYPO3CR/Security/Authorization/Privilege/Node


-- 
Bastian Waidelich

More information about the Flow mailing list