Checking access rights using Flows Security Framework without writing roles for every protected content


I have a question about access rights using Flow.
The use case is the following: we deliver articles (and other content) using the Flow-Framwork and have different portals on which content is published. The articles are behind a paywall and a paying user could have access to all articles on one portal but not the other portal or even to one singular content element but nothing else. All those portals live under the same root-url. Because the Flow-Security-Feature is pretty neat we would like to use it if possible to grant a paying user access to read the content they paid for.

Because we have a couple of different products with new ones added regularly it would be not feasible to just add all permissions to the Policy.yaml and give every user the appropriate roles.
One suggestion was to use the party to save an array of all access rights there and access it in the Policy.yaml. There we would use the MethodPrivilige to check whether the access right this content requires is part of the access rights given to the user. But as far as I see that is not possible at the moment - the party object is not part of the account (as it used to be apparently) and as far as we have tested it it cannot be accessed in the Policy.yaml - at least we found no way to do it.

This example doesn’t work but this is how I thought it might look like in the Policy.yaml:

      matcher: 'method(Vcg\TwoStackCms\Controller\ArtikelController->detailAction(property(article.portal).in('
        privilegeTarget: Vcg.TwoStackCms:ArtikelDetail
        permission: GRANT

Is this even possible? Do you have another suggestion for how to tackle this problem?

If there are further questions regarding our use case feel free to ask.



Hi Sabine

I’m not sure if this works, but I would try to add dynamic Roles to the user accounts, when they are subscribed to a specific portal: “Vcg.TwoStackCms:Portal1”, “Vcg.TwoStackCms:Portal2”, …
and then check property(article.portalRole).in(context.securityContext.account.roles)

@bijusk did you find a working solution for this? Would be interesting for everybody searching for this. :slight_smile: