Task #8427
Access roles are not inherited
Status: | Resolved | Start date: | 2010-06-22 | |
---|---|---|---|---|
Priority: | Should have | Due date: | ||
Assigned To: | Andreas Förthner | % Done: | 100% |
|
Category: | Security | |||
Target version: | TYPO3 Flow Base Distribution - 1.0 alpha 10 | |||
Sprint: | Has patch: | |||
PHP Version: | Complexity: |
Description
Assuming, we defined the following three ACL roles in Policy.yaml
:
- administrator
- manager
- auditor
"Auditor" should be the lowest level, "administrator" the highest. A typical example would be: admin has access to everything (incl. user management features), "manager" and "auditor" have access to low level features. Therefore, a good approach would be to inherit all privileges an "auditor" has, to the "manager" role and all privileges a "manager" has, to "administrator".
The attached document shows the entries in "Policy.yaml
" as an example. Note the two/four lines highlighted in red (at "acl" section). You would expect that you do NOT need those lines, because "manager" already has access to Meter/Asset (inherited by "auditor"), as well as "administrator".
But if these lines are removed, an "Access denied" exception is thrown when trying to access Asset/Meters with a "manager" or "administrator" user.
Assumption:¶
Privileges are not inherited. In this example: GRANT for role "auditor" is not passed to "manager" (and "administrator" in the next level).
Workaround:¶
Assign all "admin" users to "auditor" and/or "manager" roles, too. Or: include the additional lines in Policy.yaml
as shown in attached document.
Associated revisions
- [+BUGFIX] FLOW3 (Security): Inheritance of roles works now again. Fixes #8427.
- [~TASK] FLOW3 (Security): Added a safeguard to catch syntax errors when loading the policy configuration.
History
#1 Updated by Michael Schams about 5 years ago
- File issue8427-FLOW3-policy-issue.pdf added
#2 Updated by Karsten Dambekalns about 5 years ago
- Project changed from Core Team to TYPO3.Flow
#3 Updated by Andreas Förthner about 5 years ago
- Category set to Security
- Status changed from New to Accepted
- Assigned To set to Andreas Förthner
This feature got probably lost in the last refactoring of the security context. The getRoles() method of the context has to take inheritance into account.
I will take care asap.
#4 Updated by Andreas Förthner about 5 years ago
- Status changed from Accepted to Resolved
- % Done changed from 0 to 100
Applied in changeset r4624.
#5 Updated by Karsten Dambekalns about 5 years ago
- Target version set to 1.0 alpha 10