Unable to overwrite inherited ACL roles in Policy.yaml
|Priority:||Should have||Due date:|
|Assignee:||Andreas Förthner||% Done:||
|Target version:||TYPO3 Flow Base Distribution - 1.0 alpha 14||Estimated time:||2.00 hours|
|Has patch:||FLOW3 version affected:|
Roles are inherited correctly but you can not overwrite a previously defined DENY with a GRANT. It's working fine to overwrite a GRANT with a DENY bit not vice versa.
See attached PDF document for clarification.
Please note: this ticket is related to #8427 (see examples there) but describes a (new) system behaviour (bug).
[~FEATURE] FLOW3 (Security): Add all resources to the 'Everybody' role by default
This adds an "ABSTAIN" privilege to all resources for the "Everybody"
role in the policy. By this DENY and GRANT can be use more explicit
and all resources are protected by default and need not to be denied
Relates to: #8576
Updated by Michael Schams almost 3 years ago
Updated by Karsten Dambekalns almost 3 years ago
- Status changed from New to Accepted
- Assignee set to Andreas Förthner
- Target version set to 1.0 alpha 10
- Estimated time set to 2.00
Updated by Andreas Förthner almost 3 years ago
- Target version changed from 1.0 alpha 10 to 1.0 alpha 11
Updated by Karsten Dambekalns over 2 years ago
- Target version changed from 1.0 alpha 13 to 1.0 alpha 14
Updated by Andreas Förthner over 2 years ago
- Status changed from Accepted to Resolved
I close this issue, as the introduction of the new Everybody role and the fact, that every resource is automatically added to this role with an ABSTAIN privilege, should solve the issue.
Here is a short explanation how privilege evaluation works:
The DENY privilege overrides any other privilege no matter of the inheritance. This is done by intention. By defining a resource it is by default denied to everyone. As soon as one of the roles (or inherited parent roles) gets a GRANT privilge and no DENY privilege the account is allowed to access. The new ABSTAIN privilege is just ignored when evaluating the access decision, but if no other privilege is found, access is denied.