Task #8427: Access roles are not inherited - TYPO3.Flow - TYPO3 Forge

TYPO3 Flow Base Distribution TYPO3.Eel TYPO3.Flow TYPO3.Fluid TYPO3.Kickstart TYPO3.Welcome Packages Applications

Task #8427

Access roles are not inherited

Added by Michael Schams about 5 years ago. Updated almost 5 years ago.

Status:

Resolved

Start date:

2010-06-22

Priority:

Should have

Due date:

Assigned To:

Andreas Förthner

% Done:

100%

Category:

Security

Target version:

TYPO3 Flow Base Distribution - 1.0 alpha 10

Sprint:

Has patch:

PHP Version:

Complexity:

Description

Assuming, we defined the following three ACL roles in Policy.yaml:

administrator
manager
auditor

"Auditor" should be the lowest level, "administrator" the highest. A typical example would be: admin has access to everything (incl. user management features), "manager" and "auditor" have access to low level features. Therefore, a good approach would be to inherit all privileges an "auditor" has, to the "manager" role and all privileges a "manager" has, to "administrator".

The attached document shows the entries in "Policy.yaml" as an example. Note the two/four lines highlighted in red (at "acl" section). You would expect that you do NOT need those lines, because "manager" already has access to Meter/Asset (inherited by "auditor"), as well as "administrator".

But if these lines are removed, an "Access denied" exception is thrown when trying to access Asset/Meters with a "manager" or "administrator" user.

Assumption:¶

Privileges are not inherited. In this example: GRANT for role "auditor" is not passed to "manager" (and "administrator" in the next level).

Workaround:¶

Assign all "admin" users to "auditor" and/or "manager" roles, too. Or: include the additional lines in Policy.yaml as shown in attached document.

issue8427-FLOW3-policy-issue.pdf (83.4 kB) Michael Schams, 2010-06-22 02:50

Associated revisions

Revision 45567307
Added by Andreas Förthner about 5 years ago

[+BUGFIX] FLOW3 (Security): Inheritance of roles works now again. Fixes #8427.
[~TASK] FLOW3 (Security): Added a safeguard to catch syntax errors when loading the policy configuration.

History

#1 Updated by Michael Schams about 5 years ago

File issue8427-FLOW3-policy-issue.pdf added

#2 Updated by Karsten Dambekalns about 5 years ago

Project changed from Core Team to TYPO3.Flow

#3 Updated by Andreas Förthner about 5 years ago

Category set to Security
Status changed from New to Accepted
Assigned To set to Andreas Förthner

This feature got probably lost in the last refactoring of the security context. The getRoles() method of the context has to take inheritance into account.

I will take care asap.

#4 Updated by Andreas Förthner about 5 years ago

Status changed from Accepted to Resolved
% Done changed from 0 to 100

Applied in changeset r4624.

#5 Updated by Karsten Dambekalns about 5 years ago

Target version set to 1.0 alpha 10

Also available in: Atom PDF

TYPO3.Flow

Issues

Custom queries