[SOLVED] Deny CreateNodePrivilege

Using Neos & Flow Flow App Development
1

Hey everybody. I am having a curious problem with user roles and permissions. My aim is to create a user role with only editing rights, which is not allowed to create oder delete nodes.

For this I setup the following:

  'Neos\ContentRepository\Security\Authorization\Privilege\Node\CreateNodePrivilege':
    'My.Site:CreateAllNodes':
      matcher: 'TRUE'

Now my users can not create any nodes, which makes sense, since now I have to specifically whitelist this privilege.

So for my Editor I set:
‘Neos.Neos:Editor’:
privileges:
-
privilegeTarget: ‘My.Site:EditAllNodes’
permission: GRANT
privilegeTarget: Neos.Media.Browser:ManageAssetCollections
permission: GRANT
privilegeTarget: ‘My.Site:CreateAllNodes’
permission: GRANT

For some reason, my admin User is still not allowed to create nodes. The same thing worked just fine for “EditAllNodes”. If I remove that part in my Editor role, I am no longer allowed to edit, so I am sure this rule generally works.

Why cant I grant privilege to CreateAllNodes? Any help would be highly appreciated, I have been searching for my error for a long time now.

2

Hi Jakob,

from what you describe everything is correct. And I just tested it and can confirm that the following works:

In a Policy.yaml in <project root>/Configuration I have:

privilegeTargets:
  'Neos\ContentRepository\Security\Authorization\Privilege\Node\CreateNodePrivilege':
    'My.Site:CreateAllNodes':
      matcher: 'TRUE'

roles:
  'Neos.Neos:Editor':
    privileges:
      -
        privilegeTarget: 'My.Site:CreateAllNodes'
        permission: GRANT

With that users with the roles Neos.Neos:Administrator and Neos.Neos:Editor can create nodes, users with Neos.Neos:RestrictedEditor can’t any longer.
If I change “Neos.Neos:Editor” above to “Neos.Neos:Administrator” only administrators can create nodes, as expected.

Make sure that you have your package dependencies correct (i.e. that your policy is not overridden somewhere else) and that you have caches flushed (in Dev Context that should happen automatically)

3

Hey Bastian

Thank you for your answer. So first its very good to know that my could seems to be correct. Unfortunately I am sure my policy comes only from this yaml and I did flush my caches plenty of times. Still it does not work as it should. I cannot have both policies (CreateNodes and EditNodes) together. If I use only the code you sent above, it works just fine. Also my code to edit nodes worked. However if I have the following, it stops working:

privilegeTargets:
  'Neos\ContentRepository\Security\Authorization\Privilege\Node\CreateNodePrivilege':
    'My.Site:CreateAllNodes':
      matcher: 'TRUE'

  'Neos\ContentRepository\Security\Authorization\Privilege\Node\EditNodePrivilege':
    'My.Site:EditAllNodes':
      matcher: 'TRUE'

roles:
  'Neos.Neos:Editor':
    privileges:
      -
        privilegeTarget: 'My.Site:CreateAllNodes'
        permission: GRANT
        privilegeTarget: 'My.Site:EditAllNodes'
        permission: GRANT
4 
    privilegeTarget: 'My.Site:CreateAllNodes'
    permission: GRANT
    privilegeTarget: 'My.Site:EditAllNodes'
    permission: GRANT

That syntax is invalid and any decent YAML editor should complain about it!?
Also the parser complains if I try this: Duplicate key "privilegeTarget" detected at line 16

With

privilegeTargets:
  'Neos\ContentRepository\Security\Authorization\Privilege\Node\CreateNodePrivilege':
    'My.Site:CreateAllNodes':
      matcher: 'TRUE'

  'Neos\ContentRepository\Security\Authorization\Privilege\Node\EditNodePrivilege':
    'My.Site:EditAllNodes':
      matcher: 'TRUE'

roles:
  'Neos.Neos:Editor':
    privileges:
    -
      privilegeTarget: 'My.Site:CreateAllNodes'
      permission: GRANT
    -
      privilegeTarget: 'My.Site:EditAllNodes'
      permission: GRANT

on latest Neos it works for me as expected: Admin & Editor can create and edit nodes, RestrictedEditor can’t

5

Hey Bastian

That was the hint I needed, thank you so much. This is my first project with Neos or Yaml, I did not see my mistake there. No its working as expected.

6

No worries, YAML is quite confusing (and so is Neos sometimes) :slight_smile:
Great that it works now!