Hi!
By random testing with the “Policy.yaml” I’ve spotted an strange behavior.
My setup ist as folows:
-
In my controller “BazController” there is only on action call “newAction” which should be protected by policy
-
my Policy.yaml looks like that
roles:
'acme.foo:NormalUser':
privileges:
-
privilegeTarget: 'Acme.Foo:NormalUser.BazControllerActions'
permission: GRANT
privilegeTargets:
'Neos\Flow\Security\Authorization\Privilege\Method\MethodPrivilege':
'Acme.Foo:NormalUser.bazControllerActions':
matcher: 'method(Acme\Foo\Controller\BazController->(foo)Action())'
Testing on CLI gives:
./flow security:showunprotectedactions
Acme\Foo\Controller\BazController
newAction
Neos\FluidAdaptor\ViewHelpers\Widget\Controller\AutocompleteController
indexAction
autocompleteAction
Neos\FluidAdaptor\ViewHelpers\Widget\Controller\PaginateController
indexAction
If I change the “matcher” to
matcher: 'method(Acme\Foo\Controller\BazController->(foo|new)Action())'
Than “newAction” disappears from above list.
IMHO should be every action protected which is NOT listed in brackets before “Action”…
Or do I have misunderstood policy??
What is your opinion?
Cheers
Frank