!!! FEATURE: Content Repository Privileges #5298
Conversation
```yaml
privilegeTargets:
'Neos\Neos\Security\Authorization\Privilege\SubtreeTagPrivilege':
'Some.Package:FooInAllContentRepositories':
matcher: 'foo'
'Some.Package:BarInDefaultContentRepository':
matcher: 'default:bar'
```
# Conflicts: # Neos.Neos/Classes/View/FusionExceptionView.php
to `getAuthenticatedUserId()` and make return type nullable
… new `ContentRepositoryAuthorizationService` singleton
and add dedicated `AccessDenied` exception
..instead of the Neos `User`. Reasoning: - A Neos `User` can have multiple accounts assigned - It makes sense to evaluate all authenticated roles e.g. for frontend authentication)
and add doc comments
There was a problem hiding this comment.
Feels already a lot better with the WorkspaceService being split up and the new $roles, $userId signature in the authorisation service. Now everything is sound :) Left a few last comments and solved the nitpicks myself. After addressing those i think this can be merged finally! Thanks for sticking to this topic so long!!!
I also tested that the Neos ui still works (e2e ran locally) and adjusted it to the latest changes.
One more thing though, maybe @kitsunet wants to have a look at the things that are evaluated often and might need to be cached? See \Neos\Neos\Security\Authorization\ContentRepositoryAuthorizationService::getVisibilityConstraints? And the write side now has to fetch the node again and its workspace but i guess that is ok though could be cached too at some point ... idk :D
But giving my +1 already because of goodwill :D
| /** | ||
| * @api | ||
| */ | ||
| final class AccessDenied extends \Exception |
There was a problem hiding this comment.
do we need some flow error option or anything so this is treated as flow AccessDeniedException in the parts that matter? Or does it matter at all? I do know we have some special condition sometimes to let AccessDeniedException always bubble up or something: (at least in the fusion runtime)?
There was a problem hiding this comment.
@kitsunet and me discussed that this must be caught in controllers and wrapped into a flow AccessDeniedException to initiate a redirect or set the correct flow status to 403
There was a problem hiding this comment.
I am almost done reviewing and inclined to merge this now. we can figure out a fix for it after the fact...
There was a problem hiding this comment.
At least for typical neos ui use cases this isn't noticable as they all have controller privileges and throw the necessary exception that way already. Maybe we don't need anything for now... The frontend user case is still to be checked
There was a problem hiding this comment.
perfect -> followup todo: #5372
| throw new \RuntimeException('No user authenticated', 1720371024); | ||
| $authenticatedAccount = $this->securityContext->getAccount(); | ||
| if ($authenticatedAccount === null) { | ||
| throw new AccessDeniedException('No user authenticated', 1720371024); |
There was a problem hiding this comment.
With the new nullability i could actually imagine to just ignore that check here and use $currentUser?->getId() like in other places ... that makes the code imo less quirky as the security part in flow is defined via yaml and not in the code.
But will do that inside of sebs workspace pr instead of messing with the workspace controller to much :D
Neos.Neos/Tests/Behavior/Features/Bootstrap/WorkspaceServiceTrait.php
Outdated
Show resolved
Hide resolved
# Conflicts: # Neos.Neos/Classes/Command/CrCommandController.php
# Conflicts: # Neos.ContentRepository.Core/Classes/ContentRepository.php # Neos.ContentRepository.Core/Classes/Factory/ContentRepositoryFactory.php # Neos.ContentRepositoryRegistry/Classes/ContentRepositoryRegistry.php
…vileges-tests # Conflicts: # Neos.Neos/Tests/Behavior/Features/Bootstrap/WorkspaceServiceTrait.php
# Conflicts: # Neos.ContentRepository.Core/Classes/ContentRepository.php
…vileges-tests # Conflicts: # Neos.ContentRepository.TestSuite/Classes/Behavior/Features/Bootstrap/GenericCommandExecutionAndEventPublication.php
TASK: Tests for "Content Repository Privileges"
Neos.Neos/Tests/Behavior/Features/Bootstrap/ContentRepositorySecurityTrait.php
Outdated
Show resolved
Hide resolved
- we must not write the settings to the file system via $crSecurity_testingPolicyPathAndFilename as following processes and tests in the same context would be affected. Also flushing and reloading the configuration catch (`flushConfigurationCache`) is expensive and the tests must not mess with that low level flow behaviour - instead we only rely on faking the `PolicyService`'s runtime caches. This is done by injecting a custom configuration into `$policyConfiguration` and then initialising the `PolicyService`
Now we throw the cr AccessDenied exception instead of flows access denied in all places of the workspace service to make behaviour consistent. $contentRepository->handle might for example throw the `AccessDenied` when creating a workspace
And introduce the behaviour of the `FunctionalTestCase`: neos/flow-development-collection@b9c89e3
assert that base workspace creation is only allowed for writing and that managing (setting title and roles) is only allowed to managers
| { | ||
| public static function becauseCommandIsNotGranted(CommandInterface $command, string $reason): self | ||
| { | ||
| return new self(sprintf('Command "%s" was denied: %s', $command::class, $reason), 1729086686); |
There was a problem hiding this comment.
hmm this should probably contain the cr id to ease debugging? But we have this missing alotta places in exceptions
because it led to [debates](neos/neos-development-collection#5298 (comment))
Introduces basic security to the event sourced content repository
This is a breaking change mainly because it requires a new, explicit, workspace role assignment in order for the
liveworkspace to be publicly visible:./flow workspace:assignrole live "Neos.Flow:Everybody" viewerOtherwise youll face this error:
Adjustments to
VisibilityConstraints:The method
VisibilityConstraints::frontend()was renamed toVisibilityConstraints::default().But for the cases you have used
VisibilityConstraintsat all - as mandatory argument forgetSubgraphyou can now simplify that to usegetContentSubgraphdirectly:before
after
Note that
getContentGraph(...)->getSubgraph(...)still works but is only meant to be used if your you want to determine theVisibilityConstraintsfor some case differently.Usage
Workspace Permissions
The following workspace roles exist:
VIEWER: Can read from the workspaceVIEWERto theliveworkspaceCOLLABORATOR: Can read from and write to the workspaceMANAGER: Can read from and write to the workspace and manage it (i.e. change metadata & role assignments)Furthermore, personal workspaces can be owned by a particular user. The workspace owner implicitly has the
MANAGERrole, i.e. has full access to that workspace.Note
Workspace roles are transitive. That means that
COLLABORATORhas all privileges of theVIEWERandMANAGERhas all privileges of theCOLLABORATORTo publish changes to a workspace, the authenticated user has to have at least the
VIEWERrole on the workspace to publish andCOLLABORATORrole on the target workspace.Workspace role assignments can be changed through the workspace module (WIP, see #5132) or via CLI:
ReadNodePrivilege
In general, the
ReadNodePrivilegeworks like it did before Neos 9: It allows to completely hide sub trees of the content repository from a given user group.But the implementation and configuration format has changed.
This is how a
ReadNodePrivilegecan be configured viaPolicy.yaml:The
matcherrefers to aSubtreeTag, so this example would hide all nodes that are tagged withblog(including their descendants) from all users that don't have aGRANTon that specific privilege target.Tip
By default, the privilege is active for all configured content repositories. By prefixing the matcher with
<content-repository-id>:this can be limited to a specific CR (for exampledefault:blog)EditNodePrivilege
Likewise the purpose of the
EditNodePrivilegeis like before Neos 9: To restrict certain users from changing nodes (includes creation, setting properties or references, disabling/enabling, tagging and moving, ...) in a given subtree.The new configuration syntax is similar to the one for
ReadNodePrivilege:Again, the
matcherrefers to aSubtreeTag, so this example would disallow users without a correspondingGRANTpermission to edit nodes in the subtree that is taggedblog.Note
Both privileges expect a subtree to be tagged. That is not yet possible via the Neos UI or CLI but requires interaction with the PHP API (
$contentRepository->handle(TagSubtree::create(....))) – we'll provide a way to do that, follow #3732 for updatesRemoved privilege types
The following Content Repository privilege types have been removed because their behavior was inconsistent and/or because they led to (performance) issues:
NodeTreePrivilege,CreateNodePrivilege,ReadNodePropertyPrivilege,EditNodePropertyPrivilegeWe will most probably re-add some of the functionality in a future version, but for now you can implement the AuthProviderInterface in order to enforce custom authorization requirements.
Examples
Disallow a role to edit nodes of a subtree
With the following
Policy.yaml:only administrators are allowed to edit nodes in the
blogsubtree.Note
The Neos UI does not currently properly reflect readonly nodes – The inspector will be empty and inline editable fields will be editable – but changing their content will lead to an AccessDenied exception
In order to also hide the uneditable subtree, the following can be added:
Allow a role to only edit within a given subtree
To achieve the opposite of the above, granting a user group to only edit nodes within a subtree, the whole tree must be tagged (i.e. the homepage node, all descendants will inherit the tag).
With all nodes being tagged
demositeand the blog nodes beeing taggedblogin addition, the followingPolicy.yamlwill do:With that, the administrator will be able to edit any node, but editors can only edit nodes within the
blogsubtree.Related: #3732