Feature #6604

Implement QueryRewriting according to the security policy

Added by Andreas Förthner over 11 years ago. Updated almost 11 years ago.

Status:
Resolved
Priority:
Must have
Category:
Security
Target version:
-
Start date:
2010-03-04
Due date:
% Done:

100%

Estimated time:
30.00 h
PHP Version:
Has patch:
Complexity:

Description

Queries to the persistence layer should be automatically rewritten according to the security policy. This will speed up things a lot, as you'll only get objects you'll actually are allowed to see.

One idea was to define constraints for models in the Policy.yaml:

resources:
  models:
    F3\Party\Domain\Model\Account:
      ownAccount: this.party == current.party && this.credentialsSourec != 'foo'

Another idea came to my mind, that we should discuss:

Often you want to define access for specific models on a per object basis. Meaning you want to define which roles should be allowed to see a specific object. This ends up in adding roles to objects, which we could do by a cool model security advice. We'll have to discuss this in details!


Related issues

Related to TYPO3.Flow - Major Feature #5659: Implement content securityResolvedAndreas Förthner2009-12-07

Actions
#1

Updated by Andreas Förthner over 11 years ago

  • Target version set to 1.0 alpha 9
#2

Updated by Andreas Förthner over 11 years ago

  • Priority changed from Should have to Must have
#3

Updated by Andreas Förthner over 11 years ago

We have to advice three methods of the Persistence BackendInterface:

getObjectCountByQuery($query):
-> rewrite QOM $query by setting appropriate constraints as where conditions for top level objects, or join conditions for subobjects

getObjectDataByQuery($query):
-> rewrite QOM $query by setting appropriate constraints as where conditions for top level objects, or join conditions for subobjects

getObjectDataByIdentifier($identifier):
-> check the return value (this is always only one object)

#4

Updated by Andreas Förthner over 11 years ago

In the policy we need to following comparison operators:

==
>=
<= 
>
<
!=
like
<arrayProperty> contains <singleValue>
<singleValueProperty> in <array of values>
<arrayProperty> matches <array of values>
#5

Updated by Robert Lemke over 11 years ago

  • Start date changed from 2010-02-25 to 2010-03-04
  • % Done changed from 0 to 40
  • Estimated time set to 30.00 h
#6

Updated by Robert Lemke over 11 years ago

  • Status changed from New to Accepted
#7

Updated by Robert Lemke over 11 years ago

  • Target version deleted (1.0 alpha 9)
#8

Updated by Andreas Förthner about 11 years ago

  • Status changed from Accepted to Resolved
  • % Done changed from 40 to 100

Applied in changeset r4613.

Also available in: Atom PDF