Download to read offline
![1. Neos Comment Form
NodeTypes.yaml:
'Acme.YourSite:CommentForm':
superTypes: ['TYPO3.Neos:Content']
ui:
label: 'Comment Form'
CommentForm.html:
<f:form actionUri="{neos:uri.node()}" objectName="newNode">
<f:form.hidden name="referenceNode" value="{node.path}" />
<f:form.hidden property="__nodeType" value="TYPO3.Neos.NodeTypes:Text" />
<f:form.textarea property="text" />
<f:form.submit value="Send comment" />
</f:form>
Policy.yaml:
privilegeTargets:
'TYPO3TYPO3CRSecurityAuthorizationPrivilegeNodeCreateNodePrivilege':
'Acme.SomePackage:CreateCommentNode':
matcher: 'isDescendantNodeOf("/sites/yoursite/comments") && createdNodeIsOfType("TYPO3.Neos.NodeTypes:Text")'
roles:
'TYPO3.Flow:Everybody':
privileges:
-
privilegeTarget: 'Acme.SomePackage:CreateCommentNode'
permission: GRANT](https://image.slidesharecdn.com/security-2-150329050813-conversion-gate01/85/TYPO3-Neos-and-Flow-Security-2-0-23-320.jpg)
Uploaded bynetlogix
TYPO3 Neos and Flow - Security 2.0
The document discusses Security 2.0 in the Neos framework, focusing on its goal to provide extensive data protection through a declarative privilege system. It highlights the changes in how database reads and method calls are managed, allowing for central definition of privileges and improved performance through SQL constraints. Examples of use cases, such as document management and comment forms, illustrate how custom privilege types can be implemented and utilized within this architecture.
![[T3CON13NA] TYPO3 Flow And Neos In Enterprise Applications](https://cdn.slidesharecdn.com/ss_thumbnails/neosintheenterpriset3con13na-130531003219-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
![谷歌留痕技术教程[ 𝙩𝙤𝙥 𝟮𝟯𝟯. 𝙘 𝙤𝙢 ]](https://cdn.slidesharecdn.com/ss_thumbnails/top233-260130173900-2eb784f9-thumbnail.jpg?width=640&height=640&fit=bounds)
TYPO3 Neos and Flow - Security 2.0
- 1.
- 2.
- 4. Goals • Perfect fitfor Neos • Separated from code • Fast • Declarative
- 5.
- 6.
- 7. It’s all aboutprotecting database reads and method calls!
- 8. How would thatwork? Changing the title of a page fancy AOP magic included! method(Node->setProperty(propertyName == "title"))
- 11. How would thatwork? Visibility of a page mind blowing SQL rewrites in the wild! this.workspace.name != ''live''
- 12. Your benefit! • Allprivileges are defined declaratively in a central place, not in your code • SQL constraints are faster than in memory filters • The actual protection code is part of the framework robust, well tested, updated in a central place
- 13.
- 14.
- 15. We want touse the Neos Language! Am I allowed to edit this property? Am I allowed to move this node to this target? Am I allowed to publish this node to that workspace? Am I allowed to see this part of the node tree?
- 16. We just invented customprivilege types Edit Node Read Node Create Node Move Node Remove Node Node Tree
- 17.
- 18. Policy.yaml: privilegeTargets: 'TYPO3TYPO3CRSecurityAuthorizationPrivilegeNodeReadNodePrivilege': 'Acme.SomePackage:CustomerArea': matcher: 'isDescendantNodeOf("/sites/yoursite/customers")' 'TYPO3TYPO3CRSecurityAuthorizationPrivilegeNodeCreateNodePrivilege': 'Acme.SomePackage:CreateTextElementsOnProductPages': matcher: 'isDescendantNodeOf("/sites/yoursite/products")&& createdNodeIsOfType("TYPO3.Neos.NodeTypes:Text")' roles: 'TYPO3.Flow:Everybody': privileges: - privilegeTarget: 'Acme.SomePackage:CreateTextElementsOnProductPages' permission: GRANT ‚Acme.SomePackage:RegisteredCustomers': privileges: - privilegeTarget: 'Acme.SomePackage:CustomerArea' permission: GRANT
- 19. Behind the scenes 1.Privilege types are real php classes 2. Functionality can be inherited! 3. Eel is used for the expressions 4. You can easily implement your own types
- 20. Neos Privilege Architecture Method EntityReadNode EditNode MoveNode RemoveNode CreateNode NodeTree
- 21.
- 22. 1. Neos CommentForm
- 23. 1. Neos CommentForm NodeTypes.yaml: 'Acme.YourSite:CommentForm': superTypes: ['TYPO3.Neos:Content'] ui: label: 'Comment Form' CommentForm.html: <f:form actionUri="{neos:uri.node()}" objectName="newNode"> <f:form.hidden name="referenceNode" value="{node.path}" /> <f:form.hidden property="__nodeType" value="TYPO3.Neos.NodeTypes:Text" /> <f:form.textarea property="text" /> <f:form.submit value="Send comment" /> </f:form> Policy.yaml: privilegeTargets: 'TYPO3TYPO3CRSecurityAuthorizationPrivilegeNodeCreateNodePrivilege': 'Acme.SomePackage:CreateCommentNode': matcher: 'isDescendantNodeOf("/sites/yoursite/comments") && createdNodeIsOfType("TYPO3.Neos.NodeTypes:Text")' roles: 'TYPO3.Flow:Everybody': privileges: - privilegeTarget: 'Acme.SomePackage:CreateCommentNode' permission: GRANT
- 24. 2. Document Management AuthorizationService.php: publicfunction isAllowed($document, $privilege = self::PRIVILEGE_READ) { if ($this->getAuthenticatedUser() === NULL) { return FALSE; } if ($this->getAuthenticatedUser()->isAdministrator()) { return TRUE; } switch ($privilege) { case self::PRIVILEGE_READ: return $this->isAllowedToReadDocument($document); case self::PRIVILEGE_CREATE: case self::PRIVILEGE_UPDATE: case self::PRIVILEGE_DELETE: return $this->hasAccessToResource('Acme_SomePackage_DocumentAdministration') && $this->isAllowedToEditCategory($document->getCategory()); case self::PRIVILEGE_VIEW_USER_GROUPS: return $this->isAllowedToViewUserGroupsOfDocument($document); } }
- 25. 2. Document Management Policy.yaml: privilegeTargets: 'AcmeSomePackageSecurityAuthorizationPrivilegeEditDocumentPrivilege': 'Acme.SomePackage:DocumentAdministration': matcher:'documentIsInCategory(authenticatedUser.allowedCategories)' SomePhpFile.php: $documentSubject = new EditDocumentPrivilegeSubject($document); $this->privilegeManager->isGranted(EditDocumentPrivilege::class, $documentSubject); SomeFluidTemplate.html: <x:security.isAllowedToEditDocument document="{document}"> <!-- edit links, ... --> </x:security.isAllowedToEditDocument>
- 26.