Potential Policy/Security problem?

mexoona · October 25, 2024, 1:56pm

Hi!
By random testing with the “Policy.yaml” I’ve spotted an strange behavior.
My setup ist as folows:

In my controller “BazController” there is only on action call “newAction” which should be protected by policy
my Policy.yaml looks like that

roles:
  'acme.foo:NormalUser':
    privileges:
      -
        privilegeTarget: 'Acme.Foo:NormalUser.BazControllerActions'
        permission: GRANT

privilegeTargets:
  'Neos\Flow\Security\Authorization\Privilege\Method\MethodPrivilege':
    'Acme.Foo:NormalUser.bazControllerActions':
      matcher: 'method(Acme\Foo\Controller\BazController->(foo)Action())'

Testing on CLI gives:

./flow security:showunprotectedactions

Acme\Foo\Controller\BazController
  newAction

Neos\FluidAdaptor\ViewHelpers\Widget\Controller\AutocompleteController
  indexAction
  autocompleteAction

Neos\FluidAdaptor\ViewHelpers\Widget\Controller\PaginateController
  indexAction

If I change the “matcher” to

matcher: 'method(Acme\Foo\Controller\BazController->(foo|new)Action())'

Than “newAction” disappears from above list.

IMHO should be every action protected which is NOT listed in brackets before “Action”…

Or do I have misunderstood policy??

What is your opinion?

Cheers
Frank

christianm · October 26, 2024, 1:46pm

For ease of use the policies apply only to named resources. A controller action that is never part of any privilegeTarget will be unprotected by default. This is the case for newAction. As soon as it appears in a privilegeTarget it will be part of policy protection.

If you check the default Neos.Neos policy, it adds a secure default target for “all controllers all actions”, so any action is protected by default. That choice in Flow is yours though.

mexoona · October 28, 2024, 1:55pm

Thanks for your explaination, Christian!
But a little pitfall remains, I think.
In described scenario I’ve renamed the single action and than it was “unprotected” …