RFC: Policy.yaml backend module

Hey everbody,

here is a little RFC for a Policy.yaml backend module.
Your comments and ideas are very welcome!

Kind regards,
Michael

Current State

Currently it is hard to find out what do you can do with the Policy.yaml. You have to know what you can use as a matcher and so on.

Plans

What we plan to do is to create a new little backend module to generate a Policy.yaml. This backend module should be a part of a new Flowpack-Package (e.g. Flowpack.Neos.Security)
With the module, it should be possible to build the Policy.yaml with a form.

Here is a screenshot how it could look like:

We have already begun to implement the package:
https://github.com/michaelgerdemann/Flowpack.Neos.Security

4 Likes

Really cool idea, maybe @bwaidelich or @andi can help to shape the idea to a nice UI.

Based on our focus on UX, I think we need to make it simple, may string like “isType({0})” can be replace by small phrase like “Is of Type”, …

Hi,

really cool idea, indeed. There are some things that came to my mind:

  • Obviously we need a nice way to write that back to the Policy.yaml. However, you never can do this in production, this has to be a development-only tool/module
  • It would be really cool to select the values based on some nice editors. E.g. select the node type from the available node types in the system
  • We have to check the logical operators in the matcher expressions. I fear not everything you can model with the example above is really supported by the matcher. But that’s a general issue we have to look into, to find out which combinations make sense and which shouldn’t be possible

Regarding the UI I’m probably not the right person to make that nicer. However, I’m definitely in to give feedback and help with conceptual questions.

Again, thank you so much for pushing this!

Andi

It’s fine for a first version to have to copy paste the generated Policy.yaml

Maybe we can check with @dimaip if we can have access to the ember stuff he’s doing for the NodeType “Wizard”

I have the feeling that’s if we found a way to have a really natural speaking interface it will be awesome, let’s see what can be done, I’m not enough in the technical part to be sure if it’s possible or not.

Yeah sure, I just need a bit more effort to get it done, currently editor refactoring is very naive, I still need to refactor validators and other things: [TASK] Refactor Editors not to depend on Inspector · neos/neos-development-collection@f7849fe · GitHub

Hey guys,

I’m looking for an extension which configures the user rights. maybe this would be suitable …

is there any news about the stand?

Best greetings
Steffen

@steffenmatthes Thanks for bringing this up again, but this is not really related to backend modules, is it? IMO it’s better to open a new thread rather than hijacking a 2-year-old one :wink:

As to your question: Roles are an application concept. You should be able to assign roles at “runtime” (like via the Neos User Management) but it won’t be possible to change roles at runtime for a couple of reasons (security, caching for example).
What you are probably looking for is a concept we call user groups, so that you could specify s.th. like “User A has role NewsEditor in this part of the tree”.
Hopefully we’ll be able to tackle this with https://github.com/neos/flow-development-collection/issues/593 at some point, but it’s quite a complex topic.
In the meantime you can either solve it with multiple roles or a custom implementation of “user groups”.

HTH,
Bastian