Hi,
it seems like I am having trouble understanding policies. An EditNode-permission is granted when the security:showeffectivepolicy-command states that it should be abstained. Denying the privilegeTarget works as expected.
This is my policy.yaml
privilegeTargets:
'Neos\ContentRepository\Security\Authorization\Privilege\Node\EditNodePrivilege':
'Qweb.AdmTool:Edit.M05PersonIntro':
matcher: 'nodeIsOfType("Qweb.AdmTool:Content.M05PersonIntroTeaser")'
roles:
'Neos.Neos:Editor': #Administrator inherits from editor
privileges:
- privilegeTarget: 'Qweb.AdmTool:Edit.M05PersonIntro'
permission: GRANT
# why is the following needed?
# 'Qweb.AdmTool:SalesPeople':
# privileges:
# - privilegeTarget: 'Qweb.AdmTool:Edit.M05PersonIntro'
# permission: DENY
Neos consideres the permisson ABSTAINed, just as I expect it.
./flow security:showeffectivepolicy --roles=Qweb.AdmTool:SalesPeople
Please specify the required argument "privilegeType": method
Effective Permissions for the roles Qweb.AdmTool:SalesPeople, Neos.Neos:AbstractEditor, Neos.ContentRepository:Administrator, Neos.ContentRepository:InternalWorkspaceAccess, Neos.Flow:
AuthenticatedUser, Neos.Flow:Everybody
...
Qweb.AdmTool:Edit.M05PersonIntro ABSTAIN
...
BUT: I can edit the text property of the Node when I log in with SalesPeople role. Why? Is there some other privilegetarget that overrides the EditNodePrivilege (eg Neos.Neos:Backend.EditContent, wich is granted)?
What would be the proper way to implement this?