Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/flownative/flow-extraprivileges

A package with some extra privilege implementations (to be included into Flow 5.x eventually)
https://github.com/flownative/flow-extraprivileges

Last synced: 2 months ago
JSON representation

A package with some extra privilege implementations (to be included into Flow 5.x eventually)

Awesome Lists containing this project

README 

        
[![MIT license](http://img.shields.io/badge/license-MIT-brightgreen.svg)](http://opensource.org/licenses/MIT)

[![Packagist](https://img.shields.io/packagist/v/flownative/flow-extraprivileges.svg)](https://packagist.org/packages/flownative/flow-extraprivileges)

[![Maintenance level: Acquaintance](https://img.shields.io/badge/maintenance-%E2%99%A1-ff69b4.svg)](https://www.flownative.com/en/products/open-source.html)



# Custom Entity Privileges for Flow



A package with some extra privilege implementations (to be included into Flow 5.0 eventually)



## Installation



`composer require flownative/flow-extraprivileges`



## Usage



After installing the package, a few new privileges may be used in your security policy.



### Available privileges



The package provides four new privileges:



- `Flownative\Flow\ExtraPrivileges\Security\Authorization\Privilege\Entity\ReadPrivilege`

- `Flownative\Flow\ExtraPrivileges\Security\Authorization\Privilege\Entity\CreatePrivilege`

- `Flownative\Flow\ExtraPrivileges\Security\Authorization\Privilege\Entity\UpdatePrivilege`

- `Flownative\Flow\ExtraPrivileges\Security\Authorization\Privilege\Entity\DeletePrivilege`



The `ReadPrivilege` is a drop-in replacement for the `EntityPrivilege` shipped with Flow.

It exists to lessen potential for confusion, since the name `EntityPrivilege` is rather

ambiguous, but the privilege deals only with reading of entities.



The other three privileges offer new functionality and allow to secure the creation,

updating and deletion of entities. Here is an example (to be used in *Policy.yaml*):



    privilegeTargets:

    

      # the "CreatePrivilege" is checked only for freshly created entities

      'Flownative\Flow\ExtraPrivileges\Security\Authorization\Privilege\Entity\CreatePrivilege':

        'Acme.PrivilegesUser:CreateInvoice':

          # matches any "Invoice" entity

          matcher: 'q(entity).is("[instanceof Acme\PrivilegesUser\Domain\Model\Invoice]")'

        'Acme.PrivilegesUser:CreateExpensiveInvoice':

          # matches ony "Invoice" entities with a total "amount" of more than 10

          matcher: >

            q(entity).is("[instanceof Acme\PrivilegesUser\Domain\Model\Invoice]")

            && q(entity).property("amount") > 10

    

      # the "UpdatePrivilege" is checked only for existing entities that are updated

      'Flownative\Flow\ExtraPrivileges\Security\Authorization\Privilege\Entity\UpdatePrivilege':

        'Acme.PrivilegesUser:UpdateInvoice':

          # matches any "Invoice" entity being updated

          matcher: 'q(entity).is("[instanceof Acme\PrivilegesUser\Domain\Model\Invoice]")'

        'Acme.PrivilegesUser:UpdateExpensiveInvoice':

          # matches only "Invoice" entities being updated with a total "amount" of more than 10

          # in either the (unchanged) "originalEntityData" or the already changed "entity"

          matcher: >

            q(entity).is("[instanceof Acme\PrivilegesUser\Domain\Model\Invoice]")

            && (q(entity).property("amount") > 10

            || q(originalEntityData).property("amount") > 10)

    

      'Flownative\Flow\ExtraPrivileges\Security\Authorization\Privilege\Entity\DeletePrivilege':

        'Acme.PrivilegesUser:DeleteInvoice':

          # matches any "Invoice" entity

          matcher: 'q(entity).is("[instanceof Acme\PrivilegesUser\Domain\Model\Invoice]")'

        'Acme.PrivilegesUser:DeleteExpensiveInvoice':

          # matches only "Invoice" entities being updated with a total "amount" of more than 10

          # in the (unchanged) "originalEntityData"

          matcher: >

            q(entity).is("[instanceof Acme\PrivilegesUser\Domain\Model\Invoice]")

            && q(originalEntityData).property("amount") > 10



##### Matcher syntax



The matcher syntax shown above differs from the syntax known from the `EntityPrivilege` in Flow

(and that is unchanged for the `Entity\ReadPrivilege` in this package). The matcher syntax is

regular Eel with support for FlowQuery, and there are two special items available in the context:



- `entity` is the actual entity that is being checked

- `originalEntityData` is an array with property values as they were loaded from the persistence



Keep in mind that checking for the type of entity is only possible on `entity`, the other

item is an array and will never match a check against a class!



##### Eel helpers



In addition to these two, Eel helpers are available in the context, as configured in the settings

with `Flownative.Flow.ExtraPrivileges.defaultContext`:



- `String`: `Neos\Eel\Helper\StringHelper`

- `Array`: `Neos\Eel\Helper\ArrayHelper`

- `Date`: `Neos\Eel\Helper\DateHelper`

- `Configuration`: `Neos\Eel\Helper\ConfigurationHelper`

- `Math`: `Neos\Eel\Helper\MathHelper`

- `Json`: `Neos\Eel\Helper\JsonHelper`

- `Security`: `Neos\Eel\Helper\SecurityHelper`

- `Type`: `Neos\Eel\Helper\TypeHelper`



### Fluid (view) integration



The `ifAccess` view helper is used to check for access to a privilege target. With the new

privileges, it has been expanded to accept the entity to check against in the parameter

`subject`.



    

       This is being shown in case you have access to the given privilege target

    



## Background



Further information and details on the reasoning behind this package may be found in

[Custom Privilege Targets](Documentation/Custom-Privilege-Targets.md).



## Credits



Development of this package has been sponsored by clicsoft gmbh, Zug, Switzerland.