Feature #6604
Implement QueryRewriting according to the security policy
| Status: | Resolved | Start date: | 2010-03-04 | |
|---|---|---|---|---|
| Priority: | Must have | Due date: | ||
| Assigned To: | Andreas Förthner | % Done: | 100% |
|
| Category: | Security | |||
| Target version: | - | Estimated time: | 30.00 hours | |
| PHP Version: | Complexity: | |||
| Has patch: |
Description
Queries to the persistence layer should be automatically rewritten according to the security policy. This will speed up things a lot, as you'll only get objects you'll actually are allowed to see.
One idea was to define constraints for models in the Policy.yaml:
resources:
models:
F3\Party\Domain\Model\Account:
ownAccount: this.party == current.party && this.credentialsSourec != 'foo'
Another idea came to my mind, that we should discuss:
Often you want to define access for specific models on a per object basis. Meaning you want to define which roles should be allowed to see a specific object. This ends up in adding roles to objects, which we could do by a cool model security advice. We'll have to discuss this in details!
Related issues
Associated revisions
- [+TASK] FLOW3 (Object): Added session scope related methods to the object manager and interface.
- [+FEATURE] FLOW3 (AOP): Added a matches operator as a new possibility for runtime evaluations.
- [+FEATURE] FLOW3 (AOP): Global objects available in runtime evaluations can now be configured in the settings. Resolves #6598.
- [+FEATURE] FLOW3 (Security): Implemented query rewriting according to the security policy. Relates to #5659, Resolves #6604.
[~TASK] FLOW3 (Persistence): If objects have been blocked by security query rewriting, ignore them in certain places; relates to #6604.
[~TASK] FLOW3 (Persistence): Adjusted unit tests not included in last commit (If objects have been blocked by security query rewriting, ignore them in certain places); relates to #6604.
History
#1 Updated by Andreas Förthner over 5 years ago
- Target version set to 1.0 alpha 9
#2 Updated by Andreas Förthner over 5 years ago
- Priority changed from Should have to Must have
#3 Updated by Andreas Förthner over 5 years ago
We have to advice three methods of the Persistence BackendInterface:
getObjectCountByQuery($query):
-> rewrite QOM $query by setting appropriate constraints as where conditions for top level objects, or join conditions for subobjects
getObjectDataByQuery($query):
-> rewrite QOM $query by setting appropriate constraints as where conditions for top level objects, or join conditions for subobjects
getObjectDataByIdentifier($identifier):
-> check the return value (this is always only one object)
#4 Updated by Andreas Förthner over 5 years ago
In the policy we need to following comparison operators:
== >= <= > < != like <arrayProperty> contains <singleValue> <singleValueProperty> in <array of values> <arrayProperty> matches <array of values>
#5 Updated by Robert Lemke over 5 years ago
- Start date changed from 2010-02-25 to 2010-03-04
- % Done changed from 0 to 40
- Estimated time set to 30.00
#6 Updated by Robert Lemke over 5 years ago
- Status changed from New to Accepted
#7 Updated by Robert Lemke about 5 years ago
- Target version deleted (
1.0 alpha 9)
#8 Updated by Andreas Förthner about 5 years ago
- Status changed from Accepted to Resolved
- % Done changed from 40 to 100
Applied in changeset r4613.