Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Dynamic ACL in Neos Flow
<?php
declare(strict_types=1);
namespace Some\Package\Security;
use Neos\Cache\CacheAwareInterface;
use Neos\Flow\Annotations as Flow;
/**
* @Flow\Scope("singleton")
*/
final class AuthenticationContext implements CacheAwareInterface
{
public function getAssignedProductIds(): array
{
// TODO retrieve product ids that are assigned to the currently authenticated account
// if no account is authenticated, an empty array should be returned
// NOTE: If this list is expected to be very large, you should consider using something else than the id (but for example a product _category_)
}
public function getCacheEntryIdentifier(): string
{
return implode('|', $this->getEditableProductIds());
}
}
privilegeTargets:
'Neos\Flow\Security\Authorization\Privilege\Method\MethodPrivilege':
# Blacklist for the public ProductService methods
'Some.Package:ProductService.Blacklist':
matcher: 'within(Some\Package\Product\ProductService) && method(public .*->.*())'
'Some.Package:ProductService.EditAnyProduct':
matcher: 'method(Some\Package\Product\ProductService->updateProduct())'
'Some.Package:ProductService.EditAssignedProduct':
matcher: 'method(Some\Package\Product\ProductService->updateProduct(productId in current.context.assignedProductIds))'
roles:
'Some.Package:User':
privileges:
-
privilegeTarget: 'Some.Package:ProductService.EditAssignedProduct'
permission: GRANT
'Some.Package:Administrator':
parentRoles: ['Some.Package:User']
privileges:
-
# admins can edit all products
privilegeTarget: 'Some.Package:ProductService.EditAnyProduct'
permission: GRANT
Neos:
Flow:
aop:
globalObjects:
'context': 'Some\Package\Security\AuthenticationContext'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.