[TYPO3-50-general] Problem with setting proper methods-based policies

Rens Admiraal rens.admiraal at typo3.org
Mon Oct 22 21:06:28 CEST 2012


Hi Francois,

IIRC this should work. By having those separate resources defined. The 
security framework will search for all resources defined for the method 
call, and if one of them is allowed it will allow access.

Can you maybe post the error you got when access is denied?

Greetz,
Rens



Op 10-10-12 16:31, François Suter schreef:
> Hi all,
>
> I have trouble setting a proper policy for the following scenario:
>
> Consider a controller with a lot methods. All are reserved for users
> with the "Administrator" role and is may be accessed by users with a
> "Client" role.
>
> I have tried the following policy:
>
> resources:
>    methods:
>      Cobweb_Monitoring_EventManagement:
> 'method(Cobweb\Monitoring\Controller\EventController->(.*)Action())'
>      Cobweb_Monitoring_Timeline:
> 'method(Cobweb\Monitoring\Controller\EventController->timelineAction())'
> roles:
>    Administrator: []
>    Client: []
> acls:
>    Administrator:
>      methods:
>        Cobweb_Monitoring_EventManagement: GRANT
>    Client:
>      methods:
>        Cobweb_Monitoring_Timeline: GRANT
>
> My hope was that the more specific "timeline" action would be considered
> and allowed for "Client" roles, but that does not work. How should I
> handle this?
>
> Cheers
>



More information about the TYPO3-project-5_0-general mailing list