While still working with the project metnioned in the thread about cached content I keep stumbling upon issues with a EntityPrivilege
that is blocking for other methods.
Here is my usecase
A user visits the frontpage, and with a form enters a e-mail and hostname. That is taken into a user factory where the following is performed
$user = new User();
$user->setAccount($account);
$user->setEmailAddress($email);
if ($domain !== NULL) {
$domain = Domain::create($domain);
$user->addDomain($domain);
}
return $user;
As soon as I try to save this new user, the following EntityPrivilege
kicks in
Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\EntityPrivilege':
'Vendor.App:MyDomains':
matcher: 'isType("Vendor\App\Domain\Model\Domain") && !(property("Persistence_Object_Identifier").in("context.userService.domainIdentifiers"))'
and I end up with a exception like Warning: PDO::quote() expects parameter 1 to be string, array given
since I don’t have a any domainIdentifiers
to give to the datbase layer (but that’s a different issue with the SqlFilter class).
Once a user is logged in, the EntityPrivilege is working as expected, only showing `my own domains filtered with the written matcher
But, can I not make privileges that is based upon the combination of first a Method and then a Entity?
i’ve found that these interfaces (MethodPrivilegeInterface and EntityPrivilegeInterface) are used in the code to determine, when to do check. But if one fails, the whole requests fail, as I can seem to understand it?
Reading from the NodePrivilege classes from the Neos CMS package, there seems to be a concept of both method and entity privilege checking, hence the buildMethodPrivilegeMatcher
method` and custom eel stuff taking over matchesSubject.
So dear mister and mistress of privileges and security…
How do I solve this? What is concept of the privileges and how should they be structured and organized to avoid me running into issues like the above?
Could this perhaps be the topic collection all sorts of hints, examples and good documentation, that I will then make into a commit to the documentation for that to be more explainable?