[Flow] Dynamically create Roles in Flow 3.0-beta1

Tue May 12 08:47:01 CEST 2015

Hi Bastian,

thank you for the detailed answer! It helped my very much!

I’ve tried it with the rolesInitialized signal and it works! But I think before I’ll upgrade to Flow 3.0 I have to refactor my administrative user management backend to use some kind of user groups instead of Flows Role mechanism. Later I’ll take a look at the new ACL and Policy framework in depth.

Thanks!

--
Sascha Reule

Am 8. Mai 2015 bei 13:25:06, Bastian Waidelich (bastian at typo3.org<mailto:bastian at typo3.org>) schrieb:

On 08.05.15, at 07:12, Sascha Reule wrote:

Hi Sascha,

> Prior to Flow 3.0 there was a PolicyService in TYPO3\Flow\Security\Policy with the ability to create
> new Roles dynamically (via policyService->createRole('myNewRole') which adds the new Role to datebase).

You're right, with the new Security Framework, roles are no longer
stored in the database.

> I've found the signal 'emitRolesInitialized()' [...]
> But with this approach I have to persist all my custom and dynamically created Roles

Correct, that signal can be used to register roles at runtime (as
briefly mentioned in the documentation[1]).
You could connect to that signal via the following code in your Package.php:

/**
* @param Bootstrap $bootstrap
* @return void
*/
public function boot(Bootstrap $bootstrap) {
$dispatcher = $bootstrap->getSignalSlotDispatcher();
$dispatcher->connect(
'TYPO3\Flow\Security\Policy\PolicyService', 'rolesInitialized',
function (array &$roles) {
$parentRole = new Role('Some.Parent:Role');
$childRole = new Role('Some.Child:Role', [$parentRole]);
$roles[$parentRole->getIdentifier()] = $parentRole;
$roles[$childRole->getIdentifier()] = $childRole;
}
);
}

And those roles could come from the database, from LDAP or wherever.
An alternative could be to write a Policy.yaml file from the admin module:

$policy = $this->configurationSource->load(FLOW_PATH_CONFIGURATION .
ConfigurationManager::CONFIGURATION_TYPE_POLICY);
$policy['roles'] = [
'Some.Parent:Role' => [],
'Some.Child:Role' => ['parentRoles' => ['Some.Parent:Role']]
];
$this->configurationSource->save(FLOW_PATH_CONFIGURATION .
ConfigurationManager::CONFIGURATION_TYPE_POLICY, $policy);

$this->configurationManager->flushConfigurationCache();

(inject TYPO3\Flow\Configuration\ConfigurationManager and
TYPO3\Flow\Configuration\Source\YamlSource)

But this might not be an option in your environment, and there are also
some security related considerations to take into account.

*BUT*: The question is whether you really need to create roles on the
fly. Roles are a really low level concept of your application - there
should be no need for new roles at runtime. Probably what you want is
something like a user *group* on top of roles.
The new ACL approach allows you to define a DSL to address not only
methods but properties in your model.
For example imagine you have a user model and the administrator can
assign a list of categories that should be editable by this user (or
user group). You could write something like:

privilegeTargets:

'Acme\SomePackage\Security\Authorization\Privilege\EditDocumentPrivilege':
'Acme.SomePackage:DocumentAdministration':

matcher: 'documentIsInCategory(authenticatedUser.allowedCategories)'

Unfortunately it is not trivial to write those custom privileges (they
contain little code mostly, but the concepts are not easy to grasp at
first). If you want to go that route, having a look at the brand new
documentation[1] might help and also a look into the (partly not yet
officially supported) Node* Privileges of the TYPO3CR package[2].

Please report back if you need help and/or how that worked out for you
and whether we need to improve the API here.

HTH

[1]
http://docs.typo3.org/flow/TYPO3FlowDocumentation/latest/TheDefinitiveGuide/PartIII/Security.html#authentication-manager-and-provider

[2]
https://git.typo3.org/Packages/TYPO3.TYPO3CR.git/tree/HEAD:/Classes/TYPO3/TYPO3CR/Security/Authorization/Privilege/Node

--
Bastian Waidelich
_______________________________________________
Flow mailing list
Flow at lists.typo3.org
http://lists.typo3.org/cgi-bin/mailman/listinfo/flow