BoxerBuffa
(Finn Thorwarth)
1
Hey,
i have the following setup:
WG:Basesite as package, and country sites with languages based on that package.
I would like to create user roles to restrict the site access role based.
I tried to follow this tutorial: Real World Examples - Backend Permissions - Advanced - Guide - Neos Docs
And this guide: Backend Permissions - Advanced - Guide - Neos Docs
But i might missunderstood something.
I created the following policy.yaml but i still can access the international site with a user assigned just to the EditorGermany.
What do i miss?
privilegeTargets:
'Neos\ContentRepository\Security\Authorization\Privilege\Node\EditNodePrivilege':
'WG.BaseSite:EditAllNodes':
matcher: 'true'
'EQ.International:AccessInternational':
matcher: 'isInDimensionPreset("language", "en")'
'EQ.Germany:AccessGermany':
matcher: 'isInDimensionPreset("language", "de")'
roles:
'WG.BaseSite:RestrictedEditor':
parentRoles: ['Neos.Neos:RestrictedEditor']
privileges:
- privilegeTarget: 'WG.BaseSite:EditAllNodes'
permission: DENY
'EQ.International:EditorInternational':
label: Editor International
description: Grants editor access to the international site.
parentRoles: ['WG.BaseSite:RestrictedEditor']
privileges:
-
privilegeTarget: 'EQ.International:AccessInternational'
permission: GRANT
'EQ.Germany:EditorGermany':
label: Editor Germany
description: Grants editor access to the german site.
parentRoles: ['WG.BaseSite:RestrictedEditor']
privileges:
-
privilegeTarget: 'EQ.Germany:AccessGermany'
permission: GRANT
'Neos.Neos:Editor':
privileges:
-
privilegeTarget: 'WG.BaseSite:EditAllNodes'
permission: GRANT
'Neos.Neos:Administrator':
privileges:
-
privilegeTarget: 'WG.BaseSite:EditAllNodes'
permission: GRANT
BoxerBuffa
(Finn Thorwarth)
2
After a lot of tries and errors, i finally got it:
This lets the user only login in the sites he got the rights for and also shows only the site he can access in the sidebar.
Next I am trying to restrict the media collections 
privilegeTargets:
'Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\EntityPrivilege':
'EQ.Finland:Site.Finland':
matcher: 'isType("Neos\Neos\Domain\Model\Site") && property("nodeName") == "eq-finland"'
'EQ.France:Site.France':
matcher: 'isType("Neos\Neos\Domain\Model\Site") && property("nodeName") == "eq-france"'
'EQ.Germany:Site.Germany':
matcher: 'isType("Neos\Neos\Domain\Model\Site") && property("nodeName") == "eq-germany"'
'EQ.Greece:Site.Greece':
matcher: 'isType("Neos\Neos\Domain\Model\Site") && property("nodeName") == "eq-greece"'
'EQ.International:Site.International':
matcher: 'isType("Neos\Neos\Domain\Model\Site") && property("nodeName") == "eq-international"'
'EQ.Poland:Site.Poland':
matcher: 'isType("Neos\Neos\Domain\Model\Site") && property("nodeName") == "eq-poland"'
'EQ.Samples:Site.Samples':
matcher: 'isType("Neos\Neos\Domain\Model\Site") && property("nodeName") == "eq-samples"'
'Neos\Neos\Security\Authorization\Privilege\NodeTreePrivilege':
'EQ.Finland:Nodes.Finland':
matcher: 'isDescendantNodeOf("/sites/eq-finland")'
'EQ.France:Nodes.France':
matcher: 'isDescendantNodeOf("/sites/eq-france")'
'EQ.Germany:Nodes.Germany':
matcher: 'isDescendantNodeOf("/sites/eq-germany")'
'EQ.Greece:Nodes.Greece':
matcher: 'isDescendantNodeOf("/sites/eq-greece")'
'EQ.International:Nodes.International':
matcher: 'isDescendantNodeOf("/sites/eq-international")'
'EQ.Poland:Nodes.Poland':
matcher: 'isDescendantNodeOf("/sites/eq-poland")'
'EQ.Samples:Nodes.Samples':
matcher: 'isDescendantNodeOf("/sites/eq-samples")'
roles:
# Grant non-authenticated users permission to all sites & assets
'Neos.Flow:Anonymous':
privileges:
-
privilegeTarget: 'EQ.Finland:Site.Finland'
permission: GRANT
-
privilegeTarget: 'EQ.France:Site.France'
permission: GRANT
-
privilegeTarget: 'EQ.Germany:Site.Germany'
permission: GRANT
-
privilegeTarget: 'EQ.Greece:Site.Greece'
permission: GRANT
-
privilegeTarget: 'EQ.International:Site.International'
permission: GRANT
-
privilegeTarget: 'EQ.Poland:Site.Poland'
permission: GRANT
-
privilegeTarget: 'EQ.Samples:Site.Samples'
permission: GRANT
# Grant administrators permission to all sites, nodes, assets & collections
'Neos.Neos:Administrator':
privileges:
-
privilegeTarget: 'EQ.Finland:Site.Finland'
permission: GRANT
-
privilegeTarget: 'EQ.Finland:Nodes.Finland'
permission: GRANT
-
privilegeTarget: 'EQ.France:Site.France'
permission: GRANT
-
privilegeTarget: 'EQ.France:Nodes.France'
permission: GRANT
-
privilegeTarget: 'EQ.Germany:Site.Germany'
permission: GRANT
-
privilegeTarget: 'EQ.Germany:Nodes.Germany'
permission: GRANT
-
privilegeTarget: 'EQ.Greece:Site.Greece'
permission: GRANT
-
privilegeTarget: 'EQ.Greece:Nodes.Greece'
permission: GRANT
-
privilegeTarget: 'EQ.International:Site.International'
permission: GRANT
-
privilegeTarget: 'EQ.International:Nodes.International'
permission: GRANT
-
privilegeTarget: 'EQ.Poland:Site.Poland'
permission: GRANT
-
privilegeTarget: 'EQ.Poland:Nodes.Poland'
permission: GRANT
-
privilegeTarget: 'EQ.Samples:Site.Samples'
permission: GRANT
-
privilegeTarget: 'EQ.Samples:Site.Samples'
permission: GRANT
# Grant administrators permission to all sites, nodes, assets & collections
'WG.BaseSite:Editor':
label: 'Editor Global'
describtion: 'Grants editor access to all sites.'
parentRoles: ['Neos.Neos:EditorRestricted']
privileges:
-
privilegeTarget: 'EQ.Finland:Site.Finland'
permission: GRANT
-
privilegeTarget: 'EQ.Finland:Nodes.Finland'
permission: GRANT
-
privilegeTarget: 'EQ.France:Site.France'
permission: GRANT
-
privilegeTarget: 'EQ.France:Nodes.France'
permission: GRANT
-
privilegeTarget: 'EQ.Germany:Site.Germany'
permission: GRANT
-
privilegeTarget: 'EQ.Germany:Nodes.Germany'
permission: GRANT
-
privilegeTarget: 'EQ.Greece:Site.Greece'
permission: GRANT
-
privilegeTarget: 'EQ.Greece:Nodes.Greece'
permission: GRANT
-
privilegeTarget: 'EQ.International:Site.International'
permission: GRANT
-
privilegeTarget: 'EQ.International:Nodes.International'
permission: GRANT
-
privilegeTarget: 'EQ.Poland:Site.Poland'
permission: GRANT
-
privilegeTarget: 'EQ.Poland:Nodes.Poland'
permission: GRANT
-
privilegeTarget: 'EQ.Samples:Site.Samples'
permission: GRANT
-
privilegeTarget: 'EQ.Samples:Site.Samples'
permission: GRANT
'EQ.Finland:EditorFinland':
label: 'Editor Finland'
describtion: 'Grants editor access to the finnish site.'
parentRoles: ['Neos.Neos:EditorRestricted']
privileges:
-
privilegeTarget: 'EQ.Finland:Site.Finland'
permission: GRANT
-
privilegeTarget: 'EQ.Finland:Nodes.Finland'
permission: GRANT
-
privilegeTarget: 'EQ.Samples:Site.Samples'
permission: GRANT
-
privilegeTarget: 'EQ.Samples:Site.Samples'
permission: GRANT
'EQ.France:EditorFrance':
label: 'Editor France'
describtion: 'Grants editor access to the french site.'
parentRoles: ['Neos.Neos:EditorRestricted']
privileges:
-
privilegeTarget: 'EQ.France:Site.France'
permission: GRANT
-
privilegeTarget: 'EQ.France:Nodes.France'
permission: GRANT
-
privilegeTarget: 'EQ.Samples:Site.Samples'
permission: GRANT
-
privilegeTarget: 'EQ.Samples:Site.Samples'
permission: GRANT
'EQ.Germany:EditorGermany':
label: 'Editor Germany'
describtion: 'Grants editor access to the german site.'
parentRoles: ['Neos.Neos:EditorRestricted']
privileges:
-
privilegeTarget: 'EQ.Germany:Site.Germany'
permission: GRANT
-
privilegeTarget: 'EQ.Germany:Nodes.Germany'
permission: GRANT
-
privilegeTarget: 'EQ.Samples:Site.Samples'
permission: GRANT
-
privilegeTarget: 'EQ.Samples:Site.Samples'
permission: GRANT
'EQ.Greece:EditorGreece':
label: 'Editor Greece'
describtion: 'Grants editor access to the greek site.'
parentRoles: ['Neos.Neos:EditorRestricted']
privileges:
-
privilegeTarget: 'EQ.Greece:Site.Greece'
permission: GRANT
-
privilegeTarget: 'EQ.Greece:Nodes.Greece'
permission: GRANT
-
privilegeTarget: 'EQ.Samples:Site.Samples'
permission: GRANT
-
privilegeTarget: 'EQ.Samples:Site.Samples'
permission: GRANT
'EQ.International:EditorInternational':
label: 'Editor International'
describtion: 'Grants editor access to the international site.'
parentRoles: ['Neos.Neos:EditorRestricted']
privileges:
-
privilegeTarget: 'EQ.International:Site.International'
permission: GRANT
-
privilegeTarget: 'EQ.International:Nodes.International'
permission: GRANT
-
privilegeTarget: 'EQ.Samples:Site.Samples'
permission: GRANT
-
privilegeTarget: 'EQ.Samples:Site.Samples'
permission: GRANT
'EQ.Poland:EditorPoland':
label: 'Editor Poland'
describtion: 'Grants editor access to the polish site.'
parentRoles: ['Neos.Neos:EditorRestricted']
privileges:
-
privilegeTarget: 'EQ.Poland:Site.Poland'
permission: GRANT
-
privilegeTarget: 'EQ.Poland:Nodes.Poland'
permission: GRANT
-
privilegeTarget: 'EQ.Samples:Site.Samples'
permission: GRANT
-
privilegeTarget: 'EQ.Samples:Site.Samples'
permission: GRANT
1 Like