Created
February 13, 2019 13:00
-
-
Save bwaidelich/731dc47a02027346d5a4153010f62e34 to your computer and use it in GitHub Desktop.
Dynamic ACL in Neos Flow
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
declare(strict_types=1); | |
namespace Some\Package\Security; | |
use Neos\Cache\CacheAwareInterface; | |
use Neos\Flow\Annotations as Flow; | |
/** | |
* @Flow\Scope("singleton") | |
*/ | |
final class AuthenticationContext implements CacheAwareInterface | |
{ | |
public function getAssignedProductIds(): array | |
{ | |
// TODO retrieve product ids that are assigned to the currently authenticated account | |
// if no account is authenticated, an empty array should be returned | |
// NOTE: If this list is expected to be very large, you should consider using something else than the id (but for example a product _category_) | |
} | |
public function getCacheEntryIdentifier(): string | |
{ | |
return implode('|', $this->getEditableProductIds()); | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
privilegeTargets: | |
'Neos\Flow\Security\Authorization\Privilege\Method\MethodPrivilege': | |
# Blacklist for the public ProductService methods | |
'Some.Package:ProductService.Blacklist': | |
matcher: 'within(Some\Package\Product\ProductService) && method(public .*->.*())' | |
'Some.Package:ProductService.EditAnyProduct': | |
matcher: 'method(Some\Package\Product\ProductService->updateProduct())' | |
'Some.Package:ProductService.EditAssignedProduct': | |
matcher: 'method(Some\Package\Product\ProductService->updateProduct(productId in current.context.assignedProductIds))' | |
roles: | |
'Some.Package:User': | |
privileges: | |
- | |
privilegeTarget: 'Some.Package:ProductService.EditAssignedProduct' | |
permission: GRANT | |
'Some.Package:Administrator': | |
parentRoles: ['Some.Package:User'] | |
privileges: | |
- | |
# admins can edit all products | |
privilegeTarget: 'Some.Package:ProductService.EditAnyProduct' | |
permission: GRANT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Neos: | |
Flow: | |
aop: | |
globalObjects: | |
'context': 'Some\Package\Security\AuthenticationContext' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment