Permissions and Privileges for Backend Users

Hey guys,
In my NEOS instance i would define Permissions and Privileges for Backend Users to change and publish the content of the node: 497b2458-818f-4eba-9d44-7d048ddf911c

I’ve tried this, but I can’t publish the changes. And the user should be: not allowed to see the other pages only 497b2458-818f-4eba-9d44-7d048ddf911c

Can you help me?

privilegeTargets:
  Neos\ContentRepository\Security\Authorization\Privilege\Node\EditNodePrivilege:
    'My.Site:JobEdit':
      matcher: 'isDescendantNodeOf("497b2458-818f-4eba-9d44-7d048ddf911c")'

roles:
  'My.Site:JobEditor':
    parentRoles: ['Neos.Neos:RestrictedEditor']
    privileges:
      -
        privilegeTarget: 'My.Site:JobEdit'
        permission: GRANT

Does somebody has any idea?

Hi Patric,

by default editors are allowed to edit any nodes. Thus the EditNodePrivileges are a blacklist (see https://neos.readthedocs.io/en/stable/CreatingASite/Security.html#node-privileges).

That same documentation also states that users with the role RestrictedEditor are allowed “… to edit content but not publish to the live workspace”.

Something like this will work:

privilegeTargets:
  Neos\ContentRepository\Security\Authorization\Privilege\Node\EditNodePrivilege:
      # abstain access to edit node privilege by default
    'My.Site:EditAllNodes':
      matcher: 'TRUE'
      # explicitly allow it for certain nodes
    'My.Site:JobEdit':
      matcher: 'isDescendantNodeOf("497b2458-818f-4eba-9d44-7d048ddf911c")'

roles:
  'My.Site:JobEditor':
    parentRoles: ['Neos.Neos:Editor']
    privileges:
      -
        privilegeTarget: 'My.Site:JobEdit'
        permission: GRANT

Hi Basitian!

Thank you. This works fine. Is there a way to hide the oder Nodes? I just want to display this: 97b2458-818f-4eba-9d44-7d048ddf911c

Thx, pat

Theres the ReadNodePrivilege. It should all be described in the linked documentation above. Let us know if there’s anything missing.

Hi Bastian!

Can you help me again?

I have tried the following. The user with the Role Raw.Site:JobEditor works fine, but now the Admin can’t edit any nodes:

privilegeTargets:
  Neos\ContentRepository\Security\Authorization\Privilege\Node\EditNodePrivilege:
    'Raw.Site:EditAllNodes':
      matcher: 'TRUE'
    'Raw.Site:JobEdit':
      matcher: 'isDescendantNodeOf("bf05b268-257c-4c78-87ce-06be6e1f70f7")'

roles:
  'Raw.Site:JobEditor':
    parentRoles: ['Neos.Neos:Editor']
    privileges:
      -
        privilegeTarget: 'Raw.Site:JobEdit'
        permission: GRANT

Hey Patric,

The privilege behavior is the following:

  • if no privilegeTarget is defined for a resource (e.g. a Node in your case), no access restrictions are applied to this resource - so effectively this looks like an “allow” to the user.
  • as soon as you define a privilegeTarget, the security framework takes over for this resource. It checks if there is a privilege for the currently logged in user and the given privilege target. if there is no privilege found, it defaults to DENY.
  • this is exactly what happens in your case.

So, to fix this, grant Admin the privilege to editAllNodes :slight_smile:

All the best,
Sebastian