Dynamic ACL in Neos Flow

AuthenticationContext.php

<?php
declare(strict_types=1);
namespace Some\Package\Security;

use Neos\Cache\CacheAwareInterface;
use Neos\Flow\Annotations as Flow;

/**
 * @Flow\Scope("singleton")
 */
final class AuthenticationContext implements CacheAwareInterface
{

    public function getAssignedProductIds(): array
    {
        // TODO retrieve product ids that are assigned to the currently authenticated account
        // if no account is authenticated, an empty array should be returned
        // NOTE: If this list is expected to be very large, you should consider using something else than the id (but for example a product _category_)
    }

    public function getCacheEntryIdentifier(): string
    {
        return implode('|', $this->getEditableProductIds());
    }
}

Policy.yaml

privilegeTargets:
  'Neos\Flow\Security\Authorization\Privilege\Method\MethodPrivilege':

    # Blacklist for the public ProductService methods
    'Some.Package:ProductService.Blacklist':
      matcher: 'within(Some\Package\Product\ProductService) && method(public .*->.*())'

    'Some.Package:ProductService.EditAnyProduct':
      matcher: 'method(Some\Package\Product\ProductService->updateProduct())'

    'Some.Package:ProductService.EditAssignedProduct':
      matcher: 'method(Some\Package\Product\ProductService->updateProduct(productId in current.context.assignedProductIds))'

roles:

  'Some.Package:User':
    privileges:
      -
        privilegeTarget: 'Some.Package:ProductService.EditAssignedProduct'
        permission: GRANT


  'Some.Package:Administrator':
    parentRoles: ['Some.Package:User']
    privileges:
      -
        # admins can edit all products
        privilegeTarget: 'Some.Package:ProductService.EditAnyProduct'
        permission: GRANT

Settings.yaml

Neos:
  Flow:
    aop:
      globalObjects:
        'context': 'Some\Package\Security\AuthenticationContext'