TYPO3 Neos and Flow - Security 2.0

3.095 Aufrufe

Veröffentlicht am

In this presentation we present the new architecture and features of the security framework 2.0 shipped with Flow 3.0. Additionally the usage of this new architecture, to implement access controls for the whole editing process within the Neos CMS ist shown.

Veröffentlicht in: Software
0 Kommentare
1 Gefällt mir
Statistik
Notizen
  • Als Erste(r) kommentieren

Keine Downloads
Aufrufe
Aufrufe insgesamt
3.095
Auf SlideShare
0
Aus Einbettungen
0
Anzahl an Einbettungen
264
Aktionen
Geteilt
0
Downloads
6
Kommentare
0
Gefällt mir
1
Einbettungen 0
Keine Einbettungen

Keine Notizen für die Folie

TYPO3 Neos and Flow - Security 2.0

  1. 1. Security 2.0 Andreas Förthner Bastian Waidelich
  2. 2. What is security?
  3. 3. Goals • Perfect fit for Neos • Separated from code • Fast • Declarative
  4. 4. Why change it? Extensibility!
  5. 5. Security 2.0
  6. 6. It’s all about protecting database reads and method calls!
  7. 7. How would that work? Changing the title of a page fancy AOP magic included! method(Node->setProperty(propertyName == "title"))
  8. 8. How would that work? Visibility of a page mind blowing SQL rewrites in the wild! this.workspace.name != ''live''
  9. 9. Your benefit! • All privileges are defined declaratively in a central place, not in your code • SQL constraints are faster than in memory filters • The actual protection code is part of the framework robust, well tested, updated in a central place
  10. 10. Technically that’s all you need!
  11. 11. Seriously?!
  12. 12. We want to use the Neos Language! Am I allowed to edit this property? Am I allowed to move this node to this target? Am I allowed to publish this node to that workspace? Am I allowed to see this part of the 
 node tree?
  13. 13. We just invented custom privilege types Edit Node Read Node Create Node Move Node Remove Node Node Tree
  14. 14. isDescendantNodeOf(„/sites/typo3cr/service/") nodeIsOfType(„TYPO3.Neos.NodeTypes:Text“) hasDimensionValue(„language“, „de_DE“)
  15. 15. Policy.yaml: privilegeTargets:
 'TYPO3TYPO3CRSecurityAuthorizationPrivilegeNodeReadNodePrivilege':
 'Acme.SomePackage:CustomerArea':
 matcher: 'isDescendantNodeOf("/sites/yoursite/customers")'
 'TYPO3TYPO3CRSecurityAuthorizationPrivilegeNodeCreateNodePrivilege':
 'Acme.SomePackage:CreateTextElementsOnProductPages':
 matcher: 'isDescendantNodeOf("/sites/yoursite/products") && createdNodeIsOfType("TYPO3.Neos.NodeTypes:Text")'
 roles: 
 'TYPO3.Flow:Everybody':
 privileges:
 -
 privilegeTarget: 'Acme.SomePackage:CreateTextElementsOnProductPages'
 permission: GRANT ‚Acme.SomePackage:RegisteredCustomers':
 privileges: -
 privilegeTarget: 'Acme.SomePackage:CustomerArea'
 permission: GRANT
  16. 16. Behind the scenes 1. Privilege types are real php classes 2. Functionality can be inherited! 3. Eel is used for the expressions 4. You can easily implement your own types
  17. 17. Neos Privilege Architecture Method Entity ReadNode EditNode MoveNode RemoveNode CreateNode NodeTree
  18. 18. Use cases
  19. 19. 1. Neos Comment Form
  20. 20. 1. Neos Comment Form NodeTypes.yaml: 'Acme.YourSite:CommentForm':
 superTypes: ['TYPO3.Neos:Content']
 ui:
 label: 'Comment Form' CommentForm.html: <f:form actionUri="{neos:uri.node()}" objectName="newNode">
 <f:form.hidden name="referenceNode" value="{node.path}" />
 <f:form.hidden property="__nodeType" value="TYPO3.Neos.NodeTypes:Text" />
 <f:form.textarea property="text" />
 <f:form.submit value="Send comment" />
 </f:form> Policy.yaml: privilegeTargets:
 'TYPO3TYPO3CRSecurityAuthorizationPrivilegeNodeCreateNodePrivilege':
 'Acme.SomePackage:CreateCommentNode':
 matcher: 'isDescendantNodeOf("/sites/yoursite/comments") && createdNodeIsOfType("TYPO3.Neos.NodeTypes:Text")'
 roles:
 'TYPO3.Flow:Everybody':
 privileges:
 -
 privilegeTarget: 'Acme.SomePackage:CreateCommentNode'
 permission: GRANT
  21. 21. 2. Document Management AuthorizationService.php: public function isAllowed($document, $privilege = self::PRIVILEGE_READ) {
 if ($this->getAuthenticatedUser() === NULL) {
 return FALSE;
 }
 if ($this->getAuthenticatedUser()->isAdministrator()) {
 return TRUE;
 }
 switch ($privilege) {
 case self::PRIVILEGE_READ:
 return $this->isAllowedToReadDocument($document);
 case self::PRIVILEGE_CREATE:
 case self::PRIVILEGE_UPDATE:
 case self::PRIVILEGE_DELETE:
 return $this->hasAccessToResource('Acme_SomePackage_DocumentAdministration')
 && $this->isAllowedToEditCategory($document->getCategory());
 case self::PRIVILEGE_VIEW_USER_GROUPS:
 return $this->isAllowedToViewUserGroupsOfDocument($document);
 }
 }
  22. 22. 2. Document Management Policy.yaml: privilegeTargets:
 'AcmeSomePackageSecurityAuthorizationPrivilegeEditDocumentPrivilege':
 'Acme.SomePackage:DocumentAdministration':
 matcher: 'documentIsInCategory(authenticatedUser.allowedCategories)' SomePhpFile.php: $documentSubject = new EditDocumentPrivilegeSubject($document);
 $this->privilegeManager->isGranted(EditDocumentPrivilege::class, $documentSubject); SomeFluidTemplate.html: <x:security.isAllowedToEditDocument document="{document}">
 <!-- edit links, ... -->
 </x:security.isAllowedToEditDocument>
  23. 23. Questions? Bastian Waidelich @bwaidelich Andreas Förthner @t3andi

×