Policy configuration for persisted objects

rockymaxsource · July 22, 2015, 7:42am

Hi,

I have Region and School domain model both extends \TYPO3\Party\Domain\Model\AbstractParty. School and Region have ManyToOne relation. I want SchoolManager be able to have access to his own School after login and RegionManager can manage all schools in his region.

I have below Policy Entry:

roles:                                                                                                                                                                                                          
  SchoolManager: []                                                                                                    
  RegionManager: ['SchoolManager'] 

resources:                                                                                                             
   entities:  
       'Hwwcn\Sponsor\Domain\Model\School': 
              Hwwcn_Sponsor_Schools_All: 'ANY'                                                                                      
              Hwwcn_Sponsor_Schools_Own: 'this.name != NULL && this.acccounts contains current.securityContext.account || this.region == current.securityContext.party'                                                                                                          
              Hwwcn_Sponsor_Schools_Other: 'this.name != NULL &&! this.accounts contains current.securityContext.account || this.region != current.securityContext.party'      
acls:                                                                                                                  
  SchoolManager: 
      entities:                                                                                                          
        Hwwcn_Sponsor_Schools_All: GRANT                                                                                 
        Hwwcn_Sponsor_Schools_Own: GRANT                                                                                 
        Hwwcn_Sponsor_Schools_Other: DENY

These configuration makes SchoolRepository fetches zero schools for both SchoolManager and Region Manager.

rockymaxsource · July 24, 2015, 7:41am

Hi,

It might be useful for others. I changed the design. Added a Manager domain object which extends AbstractParty. School and Region model does not extends AbstractParty anymore. And the policy entity definition looks like:

Hwwcn_Sponsor_Regions_Own: 'this.managers contains current.securityContext.party'
Hwwcn_Sponsor_Regions_Own: 'this.managers contains current.securityContext.party'
Hwwcn_Sponsor_Regions_Other: 'this.name != NULL &&! this.managers contains current.securityContext.party'

FYI: To make this work you will need to make the edit mentioned in How to add patch for review