Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Example of a Flow policy that respects method parameters
# Concrete assignments from roles to privileges can happen in your global /Configuration/Policy.yaml file
roles:
'Some.Distribution:Administrator':
privileges:
- privilegeTarget: 'Some.Package:AccessAnyProduct'
permission: GRANT
'Some.Distribution:User':
privileges:
- privilegeTarget: 'Some.Package:AccessOwnedProducts'
permission: GRANT
<?php
declare(strict_types=1);
namespace Some\Package\Security;
use Neos\Cache\CacheAwareInterface;
use Neos\Flow\Annotations as Flow;
use Neos\Flow\Security\Context as SecurityContext;
/**
* @Flow\Scope("singleton")
*/
final class AuthenticationContext implements CacheAwareInterface
{
private SecurityContext $securityContext;
public function __construct(SecurityContext $securityContext, ProductRepository $productRepository)
{
$this->securityContext = $securityContext;
$this->productRepository = $productRepository;
}
public function getOwnedProjectIds(): array
{
// TODO: consider using runtime caches
$account = $this->securityContext->getAccount();
if ($account === null) {
return [];
}
return $this->productRepository->fetchProductIdsByUser(UserId::fromAccount($account));
}
public function getCacheEntryIdentifier(): string
{
return sha1(json_encode($this->getOwnedProjectIds()));
}
}
privilegeTargets:
'Neos\Flow\Security\Authorization\Privilege\Method\MethodPrivilege':
# Denylist for the public ProductService methods (disallow all public methods by default)
# This will lead to an ABSTAIN by default and now policy should change that!
'Some.Package:ProductService.Denylist':
matcher: 'within(Some\Package\ProductService) && method(public .*->(?!__construct).*())'
# Access details of a product owned and assigned to any user (relevant for administrators)
'Some.Package:AccessAnyProduct':
matcher: 'method(Some\Package\ProductService->getProductById())'
# Access details of products owned by the authenticated user
'Some.Package:AccessOwnedProducts':
matcher: 'method(Some\Package\ProductService->getProductById(id in current.productContext.ownedProductIds))'
Neos:
Flow:
aop:
globalObjects:
'productContext': 'Some\Package\Security\AuthenticationContext'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment