Task #8427

Access roles are not inherited

Added by Michael Schams almost 12 years ago. Updated over 11 years ago.

Should have
Start date:
Due date:
% Done:


Estimated time:
PHP Version:
Has patch:


Assuming, we defined the following three ACL roles in Policy.yaml:

  • administrator
  • manager
  • auditor

"Auditor" should be the lowest level, "administrator" the highest. A typical example would be: admin has access to everything (incl. user management features), "manager" and "auditor" have access to low level features. Therefore, a good approach would be to inherit all privileges an "auditor" has, to the "manager" role and all privileges a "manager" has, to "administrator".

The attached document shows the entries in "Policy.yaml" as an example. Note the two/four lines highlighted in red (at "acl" section). You would expect that you do NOT need those lines, because "manager" already has access to Meter/Asset (inherited by "auditor"), as well as "administrator".

But if these lines are removed, an "Access denied" exception is thrown when trying to access Asset/Meters with a "manager" or "administrator" user.


Privileges are not inherited. In this example: GRANT for role "auditor" is not passed to "manager" (and "administrator" in the next level).


Assign all "admin" users to "auditor" and/or "manager" roles, too. Or: include the additional lines in Policy.yaml as shown in attached document.


issue8427-FLOW3-policy-issue.pdf (83.4 KB) issue8427-FLOW3-policy-issue.pdf Michael Schams, 2010-06-22 02:50

Updated by Karsten Dambekalns almost 12 years ago

  • Project changed from 529 to TYPO3.Flow

Updated by Andreas Förthner almost 12 years ago

  • Category set to Security
  • Status changed from New to Accepted
  • Assignee set to Andreas Förthner

This feature got probably lost in the last refactoring of the security context. The getRoles() method of the context has to take inheritance into account.

I will take care asap.


Updated by Andreas Förthner almost 12 years ago

  • Status changed from Accepted to Resolved
  • % Done changed from 0 to 100

Applied in changeset r4624.


Updated by Karsten Dambekalns almost 12 years ago

  • Target version set to 1.0 alpha 10

Also available in: Atom PDF