Task #8427

Access roles are not inherited

Added by Michael Schams about 11 years ago. Updated almost 11 years ago.

Status:
Resolved
Priority:
Should have
Category:
Security
Start date:
2010-06-22
Due date:
% Done:

100%

Estimated time:
Sprint:
PHP Version:
Has patch:
Complexity:

Description

Assuming, we defined the following three ACL roles in Policy.yaml:

  • administrator
  • manager
  • auditor

"Auditor" should be the lowest level, "administrator" the highest. A typical example would be: admin has access to everything (incl. user management features), "manager" and "auditor" have access to low level features. Therefore, a good approach would be to inherit all privileges an "auditor" has, to the "manager" role and all privileges a "manager" has, to "administrator".

The attached document shows the entries in "Policy.yaml" as an example. Note the two/four lines highlighted in red (at "acl" section). You would expect that you do NOT need those lines, because "manager" already has access to Meter/Asset (inherited by "auditor"), as well as "administrator".

But if these lines are removed, an "Access denied" exception is thrown when trying to access Asset/Meters with a "manager" or "administrator" user.

Assumption:

Privileges are not inherited. In this example: GRANT for role "auditor" is not passed to "manager" (and "administrator" in the next level).

Workaround:

Assign all "admin" users to "auditor" and/or "manager" roles, too. Or: include the additional lines in Policy.yaml as shown in attached document.


Files

issue8427-FLOW3-policy-issue.pdf (83.4 KB) issue8427-FLOW3-policy-issue.pdf Michael Schams, 2010-06-22 02:50
#2

Updated by Karsten Dambekalns about 11 years ago

  • Project changed from 529 to TYPO3.Flow
#3

Updated by Andreas Förthner about 11 years ago

  • Category set to Security
  • Status changed from New to Accepted
  • Assignee set to Andreas Förthner

This feature got probably lost in the last refactoring of the security context. The getRoles() method of the context has to take inheritance into account.

I will take care asap.

#4

Updated by Andreas Förthner about 11 years ago

  • Status changed from Accepted to Resolved
  • % Done changed from 0 to 100

Applied in changeset r4624.

#5

Updated by Karsten Dambekalns about 11 years ago

  • Target version set to 1.0 alpha 10

Also available in: Atom PDF