Task #8427
Access roles are not inherited
| Status: | Resolved | Start date: | 2010-06-22 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assignee: | Andreas Förthner | % Done: | 100% |
|
| Category: | Security | |||
| Target version: | TYPO3 Flow Base Distribution - 1.0 alpha 10 | |||
| Sprint: | Has patch: | |||
| PHP Version: | Complexity: | |||
| Votes: | 0 |
Description
Assuming, we defined the following three ACL roles in Policy.yaml:
- administrator
- manager
- auditor
"Auditor" should be the lowest level, "administrator" the highest. A typical example would be: admin has access to everything (incl. user management features), "manager" and "auditor" have access to low level features. Therefore, a good approach would be to inherit all privileges an "auditor" has, to the "manager" role and all privileges a "manager" has, to "administrator".
The attached document shows the entries in "Policy.yaml" as an example. Note the two/four lines highlighted in red (at "acl" section). You would expect that you do NOT need those lines, because "manager" already has access to Meter/Asset (inherited by "auditor"), as well as "administrator".
But if these lines are removed, an "Access denied" exception is thrown when trying to access Asset/Meters with a "manager" or "administrator" user.
Assumption:¶
Privileges are not inherited. In this example: GRANT for role "auditor" is not passed to "manager" (and "administrator" in the next level).
Workaround:¶
Assign all "admin" users to "auditor" and/or "manager" roles, too. Or: include the additional lines in Policy.yaml as shown in attached document.
Associated revisions
- [+BUGFIX] FLOW3 (Security): Inheritance of roles works now again. Fixes #8427.
- [~TASK] FLOW3 (Security): Added a safeguard to catch syntax errors when loading the policy configuration.
History
Updated by Michael Schams almost 3 years ago
- File issue8427-FLOW3-policy-issue.pdf added
Updated by Karsten Dambekalns almost 3 years ago
- Project changed from Core Team to TYPO3.Flow
Updated by Andreas Förthner almost 3 years ago
- Category set to Security
- Status changed from New to Accepted
- Assignee set to Andreas Förthner
This feature got probably lost in the last refactoring of the security context. The getRoles() method of the context has to take inheritance into account.
I will take care asap.
Updated by Andreas Förthner almost 3 years ago
- Status changed from Accepted to Resolved
- % Done changed from 0 to 100
Applied in changeset r4624.
Updated by Karsten Dambekalns almost 3 years ago
- Target version set to 1.0 alpha 10