Feature #6604
Implement QueryRewriting according to the security policy
100%
Description
Queries to the persistence layer should be automatically rewritten according to the security policy. This will speed up things a lot, as you'll only get objects you'll actually are allowed to see.
One idea was to define constraints for models in the Policy.yaml:
resources: models: F3\Party\Domain\Model\Account: ownAccount: this.party == current.party && this.credentialsSourec != 'foo'
Another idea came to my mind, that we should discuss:
Often you want to define access for specific models on a per object basis. Meaning you want to define which roles should be allowed to see a specific object. This ends up in adding roles to objects, which we could do by a cool model security advice. We'll have to discuss this in details!
Related issues
Updated by Andreas Förthner almost 11 years ago
We have to advice three methods of the Persistence BackendInterface:
getObjectCountByQuery($query):
-> rewrite QOM $query by setting appropriate constraints as where conditions for top level objects, or join conditions for subobjects
getObjectDataByQuery($query):
-> rewrite QOM $query by setting appropriate constraints as where conditions for top level objects, or join conditions for subobjects
getObjectDataByIdentifier($identifier):
-> check the return value (this is always only one object)
Updated by Andreas Förthner almost 11 years ago
In the policy we need to following comparison operators:
== >= <= > < != like <arrayProperty> contains <singleValue> <singleValueProperty> in <array of values> <arrayProperty> matches <array of values>
Updated by Robert Lemke almost 11 years ago
- Start date changed from 2010-02-25 to 2010-03-04
- % Done changed from 0 to 40
- Estimated time set to 30.00 h
Updated by Andreas Förthner over 10 years ago
- Status changed from Accepted to Resolved
- % Done changed from 40 to 100
Applied in changeset r4613.