Multi-site access restriction with Neos CMS

Policy.yaml

privilegeTargets:

  'Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\EntityPrivilege':
    'Acme.Package:NotUsersSite':
      matcher: 'isType("Neos\Neos\Domain\Model\Site") && property("nodeName") != "context.userInformationContext.account.accountIdentifier"'

  'Wwwision\AssetConstraints\Security\Authorization\Privilege\ReadAssetPrivilege':
    'Acme.Package:NotUsersAssets':
      matcher: '!(isInCollection("context.userInformationContext.site.propertyName") || isWithoutCollection())'

  'Wwwision\AssetConstraints\Security\Authorization\Privilege\ReadAssetCollectionPrivilege':
    'Acme.Package:NotUsersCollection':
      matcher: '!(isTitled("context.userInformationContext.site.propertyName"))'

roles:
  # Grant administrators permission to all sites, nodes, assets & collections
  'Neos.Neos:Administrator':
    privileges:
      -
        privilegeTarget: 'Acme.Package:NotUsersSite'
        permission: GRANT
      -
        privilegeTarget: 'Acme.Package:NotUsersAssets'
        permission: GRANT
      -
        privilegeTarget: 'Acme.Package:NotUsersCollection'
        permission: GRANT

  # Grant non-authenticated users permission to all sites & assets
  'Neos.Flow:Anonymous':
    privileges:
      -
        privilegeTarget: 'Acme.Package:NotUsersSite'
        permission: GRANT
      -
        privilegeTarget: 'Acme.Package:NotUsersAssets'
        permission: GRANT
      -
        privilegeTarget: 'Acme.Package:NotUsersCollection'
        permission: GRANT

Settings.yaml

Neos:
  Flow:
    aop:
      globalObjects:
        userInformationContext: 'Package\Acme\Security\UserInformationContext'

UserInformationContext.php

<?php
namespace Acme\Package\Security;

use Acme\Package\Domain\Model\Site;
use Acme\Package\Domain\Repository\SiteRepository;
use Neos\Flow\Annotations as Flow;
use Neos\Flow\Cache\CacheAwareInterface;
use Neos\Flow\Persistence\PersistenceManagerInterface;
use Neos\Flow\Security\Account;
use Neos\Flow\Security\Context;
use Neos\Neos\Domain\Model\User;
use Neos\Party\Domain\Service\PartyService;

/**
 * @Flow\Scope("singleton")
 */
class UserInformationContext implements CacheAwareInterface {

    /**
     * @Flow\Inject
     * @var SiteRepository
     */
    protected $siteRepository;

    /**
     * @Flow\Inject
     * @var Context
     */
    protected $securityContext;

    /**
     * @Flow\Inject
     * @var PersistenceManagerInterface
     */
    protected $persistenceManager;

    /**
     * @Flow\Inject
     * @var PartyService
     */
    protected $partyService;

    /**
     * @return Account
     */
    public function getAccount() {
        return $this->securityContext->getAccount();
    }

    /**
     * @return User
     */
    public function getUser() {
        $account = $this->getAccount();
        if (!$account) {
            return NULL;
        }
        /** @var User $user */
        $user = $this->partyService->getAssignedPartyOfAccount($account);
        return $user;
    }

    /**
     * @return Site
     */
    public function getSite() {
        $user = $this->getUser();
        if (!$user) {
            return NULL;
        }
        return $this->siteRepository->findOneByUser($user);
    }

    /**
     * @return string
     */
    public function getCacheEntryIdentifier() {
        $account = $this->getAccount();
        if (!$account) {
            return NULL;
        }
        return $this->persistenceManager->getIdentifierByObject($account);
    }

}