flownative/flow-extraprivileges

包含一些额外权限实现(最终将被包含到Flow 5.x中)的包

维护者

详细信息

github.com/flownative/flow-extraprivileges

源代码

问题

安装: 13

依赖项: 0

建议者: 0

安全: 0

星星: 2

关注者: 4

分支: 0

开放问题: 0

类型:neos-package

dev-master 2018-08-27 09:27 UTC

Requires

MIT 9a9f7d23a4a6b1fb6bd3c92748291fe514ae8b9d

This package is auto-updated.

Last update: 2024-08-29 04:18:44 UTC

README

MIT license Packagist Maintenance level: Acquaintance

Flow的自定义实体权限

包含一些额外权限实现的包(最终将被包含到Flow 5.0中)

安装

composer require flownative/flow-extraprivileges

用法

安装此包后,您的安全策略中可能会使用一些新的权限。

可用权限

该包提供了四个新权限

  • Flownative\Flow\ExtraPrivileges\Security\Authorization\Privilege\Entity\ReadPrivilege
  • Flownative\Flow\ExtraPrivileges\Security\Authorization\Privilege\Entity\CreatePrivilege
  • Flownative\Flow\ExtraPrivileges\Security\Authorization\Privilege\Entity\UpdatePrivilege
  • Flownative\Flow\ExtraPrivileges\Security\Authorization\Privilege\Entity\DeletePrivilege

ReadPrivilege是Flow自带EntityPrivilege的替代品。它的存在是为了减少混淆的可能性,因为EntityPrivilege这个名字相当含糊,而这个权限仅涉及实体的读取。

其他三个权限提供了新的功能,并允许对实体的创建、更新和删除进行安全控制。以下是一个示例(用于Policy.yaml

privilegeTargets:

  # the "CreatePrivilege" is checked only for freshly created entities
  'Flownative\Flow\ExtraPrivileges\Security\Authorization\Privilege\Entity\CreatePrivilege':
    'Acme.PrivilegesUser:CreateInvoice':
      # matches any "Invoice" entity
      matcher: 'q(entity).is("[instanceof Acme\PrivilegesUser\Domain\Model\Invoice]")'
    'Acme.PrivilegesUser:CreateExpensiveInvoice':
      # matches ony "Invoice" entities with a total "amount" of more than 10
      matcher: >
        q(entity).is("[instanceof Acme\PrivilegesUser\Domain\Model\Invoice]")
        && q(entity).property("amount") > 10

  # the "UpdatePrivilege" is checked only for existing entities that are updated
  'Flownative\Flow\ExtraPrivileges\Security\Authorization\Privilege\Entity\UpdatePrivilege':
    'Acme.PrivilegesUser:UpdateInvoice':
      # matches any "Invoice" entity being updated
      matcher: 'q(entity).is("[instanceof Acme\PrivilegesUser\Domain\Model\Invoice]")'
    'Acme.PrivilegesUser:UpdateExpensiveInvoice':
      # matches only "Invoice" entities being updated with a total "amount" of more than 10
      # in either the (unchanged) "originalEntityData" or the already changed "entity"
      matcher: >
        q(entity).is("[instanceof Acme\PrivilegesUser\Domain\Model\Invoice]")
        && (q(entity).property("amount") > 10
        || q(originalEntityData).property("amount") > 10)

  'Flownative\Flow\ExtraPrivileges\Security\Authorization\Privilege\Entity\DeletePrivilege':
    'Acme.PrivilegesUser:DeleteInvoice':
      # matches any "Invoice" entity
      matcher: 'q(entity).is("[instanceof Acme\PrivilegesUser\Domain\Model\Invoice]")'
    'Acme.PrivilegesUser:DeleteExpensiveInvoice':
      # matches only "Invoice" entities being updated with a total "amount" of more than 10
      # in the (unchanged) "originalEntityData"
      matcher: >
        q(entity).is("[instanceof Acme\PrivilegesUser\Domain\Model\Invoice]")
        && q(originalEntityData).property("amount") > 10
匹配器语法

上述匹配器语法与Flow(以及该包中Entity\ReadPrivilege的语法)中已知的语法不同。匹配器语法是支持FlowQuery的正则Eel,并且上下文中有两个特殊项可用

  • entity是正在检查的实际实体
  • originalEntityData是一个数组,包含从持久化中加载的属性值

请注意,检查实体类型仅在entity上可行,另一个项是一个数组,永远不会与类进行匹配检查!

Eel辅助函数

除了这两个之外,Eel辅助函数在上下文中也可用,如通过设置中的Flownative.Flow.ExtraPrivileges.defaultContext配置

  • String: Neos\Eel\Helper\StringHelper
  • Array: Neos\Eel\Helper\ArrayHelper
  • Date: Neos\Eel\Helper\DateHelper
  • Configuration: Neos\Eel\Helper\ConfigurationHelper
  • Math: Neos\Eel\Helper\MathHelper
  • Json: Neos\Eel\Helper\JsonHelper
  • Security: Neos\Eel\Helper\SecurityHelper
  • Type: Neos\Eel\Helper\TypeHelper

Fluid(视图)集成

使用ifAccess视图辅助函数来检查对权限目标的访问权限。随着新权限的出现,它已扩展为接受参数subject中的要检查的实体。

<f:security.ifAccess privilegeTarget="somePrivilegeTargetIdentifier" subject="{someEntity}">
   This is being shown in case you have access to the given privilege target
</f:security.ifAccess>

背景

关于此包背后的更多信息及细节,请参阅自定义权限目标

致谢

此包的开发得到了瑞士苏黎世的clicsoft gmbh的支持。