Bug #8576
Unable to overwrite inherited ACL roles in Policy.yaml
Status: | Resolved | Start date: | 2010-07-01 | |
---|---|---|---|---|
Priority: | Should have | Due date: | ||
Assigned To: | Andreas Förthner | % Done: | 0% |
|
Category: | Security | |||
Target version: | TYPO3 Flow Base Distribution - 1.0 alpha 14 | Estimated time: | 2.00 hours | |
PHP Version: | Complexity: | |||
Has patch: | Affected Flow version: |
Description
Roles are inherited correctly but you can not overwrite a previously defined DENY with a GRANT. It's working fine to overwrite a GRANT with a DENY bit not vice versa.
See attached PDF document for clarification.
Please note: this ticket is related to #8427 (see examples there) but describes a (new) system behaviour (bug).
Associated revisions
[~FEATURE] FLOW3 (Security): Add all resources to the 'Everybody' role by default
This adds an "ABSTAIN" privilege to all resources for the "Everybody"
role in the policy. By this DENY and GRANT can be use more explicit
and all resources are protected by default and need not to be denied
manually.
Relates to: #8576
Change-Id: Ibf3a480b108536f8a69a69e79e20c795155a82b6
History
#1 Updated by Michael Schams about 5 years ago
#2 Updated by Karsten Dambekalns about 5 years ago
- Status changed from New to Accepted
- Assigned To set to Andreas Förthner
- Target version set to 1.0 alpha 10
- Estimated time set to 2.00
#3 Updated by Andreas Förthner about 5 years ago
- Target version changed from 1.0 alpha 10 to 1.0 alpha 11
#4 Updated by Karsten Dambekalns almost 5 years ago
- Target version deleted (
1.0 alpha 11)
#5 Updated by Andreas Förthner almost 5 years ago
- Target version set to 1.0 alpha 13
#6 Updated by Karsten Dambekalns over 4 years ago
- Target version changed from 1.0 alpha 13 to 1.0 alpha 14
#7 Updated by Andreas Förthner over 4 years ago
- Status changed from Accepted to Resolved
I close this issue, as the introduction of the new Everybody role and the fact, that every resource is automatically added to this role with an ABSTAIN privilege, should solve the issue.
Here is a short explanation how privilege evaluation works:
The DENY privilege overrides any other privilege no matter of the inheritance. This is done by intention. By defining a resource it is by default denied to everyone. As soon as one of the roles (or inherited parent roles) gets a GRANT privilge and no DENY privilege the account is allowed to access. The new ABSTAIN privilege is just ignored when evaluating the access decision, but if no other privilege is found, access is denied.