does anybody have an advice or even have experience with this topic:
A Role should only be able to only view and edit one page of the Node Tree.
Example:
A backend user has a role assigned and this role should be able to view and edit the only site “Site 2.1”.
Root www.xxx.com
Site 1
Site 2
Site 2.1
Site 2.2
Site 3
I know the behavior for permissions are the following :
if no privilegeTarget is defined for a Node ( no access restrictions) - it looks like an “allow” to the user
if you define a privilegeTarget the security framework takes over for this resource. It checks if there is a privilege for the currently logged in user and the given privilege target. If there is no privilege found, it defaults to DENY .
Is there something like “isNoDescendantNodeOf” for ‘Neos\Neos\Security\Authorization\Privilege\NodeTreePrivilege’?
Here is what i used to handle multisite policies (policy.yaml of one Site package, needs to be done on all packages/sites and the role needs to be applied to the user):
privilegeTargets:
# Resitrict access to site (1/2)
'Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\EntityPrivilege':
'Vendor.Package:Site.Site1':
matcher: 'isType("Neos\Neos\Domain\Model\Site") && property("nodeName") == "site1-root-name"'
# Resitrict access to site (2/2)
'Neos\Neos\Security\Authorization\Privilege\NodeTreePrivilege':
'Vendor.Package:Nodes.Site1':
matcher: 'isDescendantNodeOf("/sites/site1-root-name")'
# Restrict access to a specific page (also in NodeTreePrivilege)
'Vendor.Package:Page.SomePage':
matcher: 'isDescendantNodeOf("8aeb4ff4-f5c3-4586-857f-d287a060205a")'
roles:
# Grant non-authenticated users permission to site
'Neos.Flow:Anonymous':
privileges:
-
privilegeTarget: 'Vendor.Package:Site.Site1'
permission: GRANT
# Grant administrators permission to site & nodes
'Neos.Neos:Administrator':
privileges:
-
privilegeTarget: 'Vendor.Package:Site.Site1'
permission: GRANT
-
privilegeTarget: 'Vendor.Package:Nodes.Site1'
permission: GRANT
# Grant site role access to "this" site and nodes
'Vendor.Package:Site1':
privileges:
-
privilegeTarget: 'Vendor.Package:Site.Site1'
permission: GRANT
-
privilegeTarget: 'Vendor.Package:Nodes.Site1'
permission: GRANT
# Give access to specific page (Only allows access to the subtree of that node
# instead of the whole tree of that site).
# Gives basic access to the site + access to edit the nodetree below that page
'Vendor.Package:AccessSomePage':
privileges:
-
privilegeTarget: 'Vendor.Package:Site.Site1'
permission: GRANT
-
privilegeTarget: 'Vendor.Package:Page.SomePage'
permission: GRANT