Last active
October 17, 2017 14:17
-
-
Save aertmann/a8992d3e4fd2ba68da05d8b4398b3e47 to your computer and use it in GitHub Desktop.
Multi-site access restriction with Neos CMS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
privilegeTargets: | |
'Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\EntityPrivilege': | |
'Acme.Package:NotUsersSite': | |
matcher: 'isType("Neos\Neos\Domain\Model\Site") && property("nodeName") != "context.userInformationContext.account.accountIdentifier"' | |
'Wwwision\AssetConstraints\Security\Authorization\Privilege\ReadAssetPrivilege': | |
'Acme.Package:NotUsersAssets': | |
matcher: '!(isInCollection("context.userInformationContext.site.propertyName") || isWithoutCollection())' | |
'Wwwision\AssetConstraints\Security\Authorization\Privilege\ReadAssetCollectionPrivilege': | |
'Acme.Package:NotUsersCollection': | |
matcher: '!(isTitled("context.userInformationContext.site.propertyName"))' | |
roles: | |
# Grant administrators permission to all sites, nodes, assets & collections | |
'Neos.Neos:Administrator': | |
privileges: | |
- | |
privilegeTarget: 'Acme.Package:NotUsersSite' | |
permission: GRANT | |
- | |
privilegeTarget: 'Acme.Package:NotUsersAssets' | |
permission: GRANT | |
- | |
privilegeTarget: 'Acme.Package:NotUsersCollection' | |
permission: GRANT | |
# Grant non-authenticated users permission to all sites & assets | |
'Neos.Flow:Anonymous': | |
privileges: | |
- | |
privilegeTarget: 'Acme.Package:NotUsersSite' | |
permission: GRANT | |
- | |
privilegeTarget: 'Acme.Package:NotUsersAssets' | |
permission: GRANT | |
- | |
privilegeTarget: 'Acme.Package:NotUsersCollection' | |
permission: GRANT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Neos: | |
Flow: | |
aop: | |
globalObjects: | |
userInformationContext: 'Package\Acme\Security\UserInformationContext' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
namespace Acme\Package\Security; | |
use Acme\Package\Domain\Model\Site; | |
use Acme\Package\Domain\Repository\SiteRepository; | |
use Neos\Flow\Annotations as Flow; | |
use Neos\Flow\Cache\CacheAwareInterface; | |
use Neos\Flow\Persistence\PersistenceManagerInterface; | |
use Neos\Flow\Security\Account; | |
use Neos\Flow\Security\Context; | |
use Neos\Neos\Domain\Model\User; | |
use Neos\Party\Domain\Service\PartyService; | |
/** | |
* @Flow\Scope("singleton") | |
*/ | |
class UserInformationContext implements CacheAwareInterface { | |
/** | |
* @Flow\Inject | |
* @var SiteRepository | |
*/ | |
protected $siteRepository; | |
/** | |
* @Flow\Inject | |
* @var Context | |
*/ | |
protected $securityContext; | |
/** | |
* @Flow\Inject | |
* @var PersistenceManagerInterface | |
*/ | |
protected $persistenceManager; | |
/** | |
* @Flow\Inject | |
* @var PartyService | |
*/ | |
protected $partyService; | |
/** | |
* @return Account | |
*/ | |
public function getAccount() { | |
return $this->securityContext->getAccount(); | |
} | |
/** | |
* @return User | |
*/ | |
public function getUser() { | |
$account = $this->getAccount(); | |
if (!$account) { | |
return NULL; | |
} | |
/** @var User $user */ | |
$user = $this->partyService->getAssignedPartyOfAccount($account); | |
return $user; | |
} | |
/** | |
* @return Site | |
*/ | |
public function getSite() { | |
$user = $this->getUser(); | |
if (!$user) { | |
return NULL; | |
} | |
return $this->siteRepository->findOneByUser($user); | |
} | |
/** | |
* @return string | |
*/ | |
public function getCacheEntryIdentifier() { | |
$account = $this->getAccount(); | |
if (!$account) { | |
return NULL; | |
} | |
return $this->persistenceManager->getIdentifierByObject($account); | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment