Created
April 26, 2018 14:39
-
-
Save Sebobo/9b560842ef0eb7fcc3d24cb3fd571f67 to your computer and use it in GitHub Desktop.
Dynamic Policies
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| namespace Foo\Bar\Service; | |
| use Neos\Cache\CacheAwareInterface; | |
| use Neos\Flow\Annotations as Flow; | |
| use Neos\Neos\Domain\Model\User; | |
| /** | |
| * The user service provides general context information about the currently | |
| * authenticated backend user. | |
| * | |
| * The methods getters of this class are accessible via the "context.instanceUserInformation" variable in security policies. | |
| * | |
| * @Flow\Scope("singleton") | |
| */ | |
| class InstanceUserService implements CacheAwareInterface | |
| { | |
| /** | |
| * @Flow\Inject | |
| * @var \Neos\Neos\Domain\Service\UserService | |
| */ | |
| protected $userDomainService; | |
| /** | |
| * Returns the name of the currently logged in user. | |
| * If no user is logged in this method returns null. | |
| * | |
| * @return string | |
| * @api | |
| */ | |
| public function getUsername() | |
| { | |
| $currentUser = $this->userDomainService->getCurrentUser(); | |
| if (!$currentUser instanceof User) { | |
| return null; | |
| } | |
| return $this->userDomainService->getUsername($currentUser); | |
| } | |
| /** | |
| * Returns the name of the currently logged in user. | |
| * If no user is logged in this method returns null. | |
| * | |
| * @return string | |
| * @api | |
| */ | |
| public function getSiteRootForCurrentUser() | |
| { | |
| $username = $this->getUsername(); | |
| return $username !== null ? '/sites/' . $username : null; | |
| } | |
| /** | |
| * Returns a string which distinctly identifies this object and thus can be used as an identifier for cache entries | |
| * related to this object. | |
| * | |
| * @return string | |
| */ | |
| public function getCacheEntryIdentifier() | |
| { | |
| return $this->getUsername(); | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| privilegeTargets: | |
| 'Neos\ContentRepository\Security\Authorization\Privilege\Node\ReadNodePrivilege': | |
| 'Foo.Bar:RestrictNodesToInstanceEditor': | |
| matcher: '!(isDescendantNodeOf("context.instanceUserInformation.siteRootForCurrentUser") || property("path").in(["/", "/sites", "context.instanceUserInformation.siteRootForCurrentUser"]))' | |
| 'Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\EntityPrivilege': | |
| 'Foo.Bar:RestrictSitesToInstanceEditor': | |
| matcher: 'isType("Neos\Neos\Domain\Model\Site") && (property("nodeName") != "context.instanceUserInformation.username")' | |
| roles: | |
| 'Foo.Bar:InstanceEditor': | |
| parentRoles: ['Neos.Neos:AbstractEditor'] | |
| privileges: | |
| - | |
| privilegeTarget: 'Foo.Bar:RestrictNodesToInstanceEditor' | |
| permission: DENY | |
| - | |
| privilegeTarget: 'Foo.Bar:RestrictSitesToInstanceEditor' | |
| permission: DENY | |
| 'Neos.Flow:Everybody': | |
| privileges: | |
| - | |
| privilegeTarget: 'Foo.Bar:RestrictNodesToInstanceEditor' | |
| permission: GRANT | |
| - | |
| privilegeTarget: 'Foo.Bar:RestrictSitesToInstanceEditor' | |
| permission: GRANT | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Neos: | |
| Flow: | |
| aop: | |
| globalObjects: | |
| instanceUserInformation: Foo\Bar\Service\InstanceUserService |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment