Bug #8576: Unable to overwrite inherited ACL roles in Policy.yaml - TYPO3.Flow - TYPO3 Forge

TYPO3 Flow Base Distribution TYPO3.Eel TYPO3.Flow TYPO3.Fluid TYPO3.Kickstart TYPO3.Welcome Packages Applications

Bug #8576

Unable to overwrite inherited ACL roles in Policy.yaml

Added by Michael Schams about 5 years ago. Updated over 4 years ago.

Status:

Resolved

Start date:

2010-07-01

Priority:

Should have

Due date:

Assigned To:

Andreas Förthner

% Done:

Category:

Security

Target version:

TYPO3 Flow Base Distribution - 1.0 alpha 14

Estimated time:

2.00 hours

PHP Version:

Complexity:

Has patch:

Affected Flow version:

Description

Roles are inherited correctly but you can not overwrite a previously defined DENY with a GRANT. It's working fine to overwrite a GRANT with a DENY bit not vice versa.

See attached PDF document for clarification.

Please note: this ticket is related to #8427 (see examples there) but describes a (new) system behaviour (bug).

issue8576-FLOW3-overwrite-inherited-access-roles.pdf (125.4 kB) Michael Schams, 2010-07-01 04:21

Associated revisions

Revision a7aa0a75
Added by Andreas Förthner over 4 years ago

[~FEATURE] FLOW3 (Security): Add all resources to the 'Everybody' role by default

This adds an "ABSTAIN" privilege to all resources for the "Everybody"
role in the policy. By this DENY and GRANT can be use more explicit
and all resources are protected by default and need not to be denied
manually.

Relates to: #8576

Change-Id: Ibf3a480b108536f8a69a69e79e20c795155a82b6

History

#1 Updated by Michael Schams about 5 years ago

File issue8576-FLOW3-overwrite-inherited-access-roles.pdf added

#2 Updated by Karsten Dambekalns about 5 years ago

Status changed from New to Accepted
Assigned To set to Andreas Förthner
Target version set to 1.0 alpha 10
Estimated time set to 2.00

#3 Updated by Andreas Förthner about 5 years ago

Target version changed from 1.0 alpha 10 to 1.0 alpha 11

#4 Updated by Karsten Dambekalns almost 5 years ago

Target version deleted (~~1.0 alpha 11~~)

#5 Updated by Andreas Förthner almost 5 years ago

Target version set to 1.0 alpha 13

#6 Updated by Karsten Dambekalns over 4 years ago

Target version changed from 1.0 alpha 13 to 1.0 alpha 14

#7 Updated by Andreas Förthner over 4 years ago

Status changed from Accepted to Resolved

I close this issue, as the introduction of the new Everybody role and the fact, that every resource is automatically added to this role with an ABSTAIN privilege, should solve the issue.

Here is a short explanation how privilege evaluation works:

The DENY privilege overrides any other privilege no matter of the inheritance. This is done by intention. By defining a resource it is by default denied to everyone. As soon as one of the roles (or inherited parent roles) gets a GRANT privilge and no DENY privilege the account is allowed to access. The new ABSTAIN privilege is just ignored when evaluating the access decision, but if no other privilege is found, access is denied.

Also available in: Atom PDF

TYPO3.Flow

Issues

Custom queries