Permissions & Access Management for Backend Users


(Petra Weinmüller) #1

Hi,

does anybody have an advice or even have experience with this topic:
A Role should only be able to only view and edit one page of the Node Tree.

Example:
A backend user has a role assigned and this role should be able to view and edit the only site “Site 2.1”.

Root www.xxx.com
Site 1
Site 2
Site 2.1
Site 2.2
Site 3

I know the behavior for permissions are the following :

  • if no privilegeTarget is defined for a Node ( no access restrictions) - it looks like an “allow” to the user
  • if you define a privilegeTarget the security framework takes over for this resource. It checks if there is a privilege for the currently logged in user and the given privilege target. If there is no privilege found, it defaults to DENY .

Is there something like “isNoDescendantNodeOf” for ‘Neos\Neos\Security\Authorization\Privilege\NodeTreePrivilege’?

Thanks!
Petra


(Benjamin Klix) #2

Hi @pw-formatd,

there is already a topic about this here: Multisite capabilities of Neos

Here is what i used to handle multisite policies (policy.yaml of one Site package, needs to be done on all packages/sites and the role needs to be applied to the user):

privilegeTargets:
  # Resitrict access to site (1/2)
  'Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\EntityPrivilege':
    'Vendor.Package:Site.Site1':
      matcher: 'isType("Neos\Neos\Domain\Model\Site") && property("nodeName") == "site1-root-name"'

  # Resitrict access to site (2/2)
  'Neos\Neos\Security\Authorization\Privilege\NodeTreePrivilege':
    'Vendor.Package:Nodes.Site1':
      matcher: 'isDescendantNodeOf("/sites/site1-root-name")'

    # Restrict access to a specific page (also in NodeTreePrivilege)
    'Vendor.Package:Page.SomePage':
      matcher: 'isDescendantNodeOf("8aeb4ff4-f5c3-4586-857f-d287a060205a")'


roles:
  # Grant non-authenticated users permission to site
  'Neos.Flow:Anonymous':
    privileges:
      -
        privilegeTarget: 'Vendor.Package:Site.Site1'
        permission: GRANT

  # Grant administrators permission to site & nodes
  'Neos.Neos:Administrator':
    privileges:
      -
        privilegeTarget: 'Vendor.Package:Site.Site1'
        permission: GRANT
      -
        privilegeTarget: 'Vendor.Package:Nodes.Site1'
        permission: GRANT

  # Grant site role access to "this" site and nodes
  'Vendor.Package:Site1':
    privileges:
    -
      privilegeTarget: 'Vendor.Package:Site.Site1'
      permission: GRANT
    -
      privilegeTarget: 'Vendor.Package:Nodes.Site1'
      permission: GRANT


  # Give access to specific page (Only allows access to the subtree of that node
  # instead of the whole tree of that site).
  # Gives basic access to the site + access to edit the nodetree below that page
  'Vendor.Package:AccessSomePage':
    privileges:
      -
        privilegeTarget: 'Vendor.Package:Site.Site1'
        permission: GRANT
      -
        privilegeTarget: 'Vendor.Package:Page.SomePage'
        permission: GRANT