Permissions and Privileges for Backend Users

patriceckhart · August 24, 2017, 8:28am

Hey guys,
In my NEOS instance i would define Permissions and Privileges for Backend Users to change and publish the content of the node: 497b2458-818f-4eba-9d44-7d048ddf911c

I’ve tried this, but I can’t publish the changes. And the user should be: not allowed to see the other pages only 497b2458-818f-4eba-9d44-7d048ddf911c

Can you help me?

privilegeTargets:
  Neos\ContentRepository\Security\Authorization\Privilege\Node\EditNodePrivilege:
    'My.Site:JobEdit':
      matcher: 'isDescendantNodeOf("497b2458-818f-4eba-9d44-7d048ddf911c")'

roles:
  'My.Site:JobEditor':
    parentRoles: ['Neos.Neos:RestrictedEditor']
    privileges:
      -
        privilegeTarget: 'My.Site:JobEdit'
        permission: GRANT

patriceckhart · October 18, 2017, 6:57am

Does somebody has any idea?

bwaidelich · October 18, 2017, 1:23pm

Hi Patric,

by default editors are allowed to edit any nodes. Thus the EditNodePrivileges are a blacklist (see https://neos.readthedocs.io/en/stable/CreatingASite/Security.html#node-privileges).

That same documentation also states that users with the role RestrictedEditor are allowed “… to edit content but not publish to the live workspace”.

Something like this will work:

privilegeTargets:
  Neos\ContentRepository\Security\Authorization\Privilege\Node\EditNodePrivilege:
      # abstain access to edit node privilege by default
    'My.Site:EditAllNodes':
      matcher: 'TRUE'
      # explicitly allow it for certain nodes
    'My.Site:JobEdit':
      matcher: 'isDescendantNodeOf("497b2458-818f-4eba-9d44-7d048ddf911c")'

roles:
  'My.Site:JobEditor':
    parentRoles: ['Neos.Neos:Editor']
    privileges:
      -
        privilegeTarget: 'My.Site:JobEdit'
        permission: GRANT

patriceckhart · October 19, 2017, 6:06am

Hi Basitian!

Thank you. This works fine. Is there a way to hide the oder Nodes? I just want to display this: 97b2458-818f-4eba-9d44-7d048ddf911c

Thx, pat

bwaidelich · October 19, 2017, 7:51am

Theres the ReadNodePrivilege. It should all be described in the linked documentation above. Let us know if there’s anything missing.

patriceckhart · December 19, 2017, 11:00am

Hi Bastian!

Can you help me again?

I have tried the following. The user with the Role Raw.Site:JobEditor works fine, but now the Admin can’t edit any nodes:

privilegeTargets:
  Neos\ContentRepository\Security\Authorization\Privilege\Node\EditNodePrivilege:
    'Raw.Site:EditAllNodes':
      matcher: 'TRUE'
    'Raw.Site:JobEdit':
      matcher: 'isDescendantNodeOf("bf05b268-257c-4c78-87ce-06be6e1f70f7")'

roles:
  'Raw.Site:JobEditor':
    parentRoles: ['Neos.Neos:Editor']
    privileges:
      -
        privilegeTarget: 'Raw.Site:JobEdit'
        permission: GRANT

sebastian · December 23, 2017, 9:10am

Hey Patric,

The privilege behavior is the following:

if no privilegeTarget is defined for a resource (e.g. a Node in your case), no access restrictions are applied to this resource - so effectively this looks like an “allow” to the user.
as soon as you define a privilegeTarget, the security framework takes over for this resource. It checks if there is a privilege for the currently logged in user and the given privilege target. if there is no privilege found, it defaults to DENY.
this is exactly what happens in your case.

So, to fix this, grant Admin the privilege to editAllNodes

All the best,
Sebastian