TYPO3 Neos and Flow - Security 2.0
•
1 gefällt mir•4,086 views
In this presentation we present the new architecture and features of the security framework 2.0 shipped with Flow 3.0. Additionally the usage of this new architecture, to implement access controls for the whole editing process within the Neos CMS ist shown.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Andere mochten auch
Andere mochten auch (16)
Ähnlich wie TYPO3 Neos and Flow - Security 2.0
Ähnlich wie TYPO3 Neos and Flow - Security 2.0 (20)
Mehr von netlogix
Mehr von netlogix (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
TYPO3 Neos and Flow - Security 2.0
- 1. Security 2.0 Andreas Förthner Bastian Waidelich
- 4. Goals • Perfect fit for Neos • Separated from code • Fast • Declarative
- 6. Security 2.0
- 7. It’s all about protecting database reads and method calls!
- 8. How would that work? Changing the title of a page fancy AOP magic included! method(Node->setProperty(propertyName == "title"))
- 11. How would that work? Visibility of a page mind blowing SQL rewrites in the wild! this.workspace.name != ''live''
- 12. Your benefit! • All privileges are defined declaratively in a central place, not in your code • SQL constraints are faster than in memory filters • The actual protection code is part of the framework robust, well tested, updated in a central place
- 13. Technically that’s all you need!
- 14. Seriously?!
- 15. We want to use the Neos Language! Am I allowed to edit this property? Am I allowed to move this node to this target? Am I allowed to publish this node to that workspace? Am I allowed to see this part of the node tree?
- 16. We just invented custom privilege types Edit Node Read Node Create Node Move Node Remove Node Node Tree
- 18. Policy.yaml: privilegeTargets: 'TYPO3TYPO3CRSecurityAuthorizationPrivilegeNodeReadNodePrivilege': 'Acme.SomePackage:CustomerArea': matcher: 'isDescendantNodeOf("/sites/yoursite/customers")' 'TYPO3TYPO3CRSecurityAuthorizationPrivilegeNodeCreateNodePrivilege': 'Acme.SomePackage:CreateTextElementsOnProductPages': matcher: 'isDescendantNodeOf("/sites/yoursite/products") && createdNodeIsOfType("TYPO3.Neos.NodeTypes:Text")' roles: 'TYPO3.Flow:Everybody': privileges: - privilegeTarget: 'Acme.SomePackage:CreateTextElementsOnProductPages' permission: GRANT ‚Acme.SomePackage:RegisteredCustomers': privileges: - privilegeTarget: 'Acme.SomePackage:CustomerArea' permission: GRANT
- 19. Behind the scenes 1. Privilege types are real php classes 2. Functionality can be inherited! 3. Eel is used for the expressions 4. You can easily implement your own types
- 20. Neos Privilege Architecture Method Entity ReadNode EditNode MoveNode RemoveNode CreateNode NodeTree
- 21. Use cases
- 22. 1. Neos Comment Form
- 23. 1. Neos Comment Form NodeTypes.yaml: 'Acme.YourSite:CommentForm': superTypes: ['TYPO3.Neos:Content'] ui: label: 'Comment Form' CommentForm.html: <f:form actionUri="{neos:uri.node()}" objectName="newNode"> <f:form.hidden name="referenceNode" value="{node.path}" /> <f:form.hidden property="__nodeType" value="TYPO3.Neos.NodeTypes:Text" /> <f:form.textarea property="text" /> <f:form.submit value="Send comment" /> </f:form> Policy.yaml: privilegeTargets: 'TYPO3TYPO3CRSecurityAuthorizationPrivilegeNodeCreateNodePrivilege': 'Acme.SomePackage:CreateCommentNode': matcher: 'isDescendantNodeOf("/sites/yoursite/comments") && createdNodeIsOfType("TYPO3.Neos.NodeTypes:Text")' roles: 'TYPO3.Flow:Everybody': privileges: - privilegeTarget: 'Acme.SomePackage:CreateCommentNode' permission: GRANT
- 24. 2. Document Management AuthorizationService.php: public function isAllowed($document, $privilege = self::PRIVILEGE_READ) { if ($this->getAuthenticatedUser() === NULL) { return FALSE; } if ($this->getAuthenticatedUser()->isAdministrator()) { return TRUE; } switch ($privilege) { case self::PRIVILEGE_READ: return $this->isAllowedToReadDocument($document); case self::PRIVILEGE_CREATE: case self::PRIVILEGE_UPDATE: case self::PRIVILEGE_DELETE: return $this->hasAccessToResource('Acme_SomePackage_DocumentAdministration') && $this->isAllowedToEditCategory($document->getCategory()); case self::PRIVILEGE_VIEW_USER_GROUPS: return $this->isAllowedToViewUserGroupsOfDocument($document); } }
- 25. 2. Document Management Policy.yaml: privilegeTargets: 'AcmeSomePackageSecurityAuthorizationPrivilegeEditDocumentPrivilege': 'Acme.SomePackage:DocumentAdministration': matcher: 'documentIsInCategory(authenticatedUser.allowedCategories)' SomePhpFile.php: $documentSubject = new EditDocumentPrivilegeSubject($document); $this->privilegeManager->isGranted(EditDocumentPrivilege::class, $documentSubject); SomeFluidTemplate.html: <x:security.isAllowedToEditDocument document="{document}"> <!-- edit links, ... --> </x:security.isAllowedToEditDocument>