!!! FEATURE: Content Repository Privileges #5298
Conversation
```yaml
privilegeTargets:
'Neos\Neos\Security\Authorization\Privilege\SubtreeTagPrivilege':
'Some.Package:FooInAllContentRepositories':
matcher: 'foo'
'Some.Package:BarInDefaultContentRepository':
matcher: 'default:bar'
```
# Conflicts: # Neos.Neos/Classes/View/FusionExceptionView.php
to `getAuthenticatedUserId()` and make return type nullable
… new `ContentRepositoryAuthorizationService` singleton
and add dedicated `AccessDenied` exception
..instead of the Neos `User`. Reasoning: - A Neos `User` can have multiple accounts assigned - It makes sense to evaluate all authenticated roles e.g. for frontend authentication)
and add doc comments
bwaidelich
changed the title
according to review comments
Neos.Neos/Classes/Security/Authorization/ContentRepositoryAuthorizationService.php
Show resolved
Hide resolved
…vileges-tests # Conflicts: # Neos.Neos/Tests/Behavior/Features/Bootstrap/WorkspaceServiceTrait.php
…epository` By moving the db implementation logic in a separate class, the dependency chain is cleaned up, as the `WorkspaceService` would previously hold the cr which would hold the `ContentRepositoryAuthorizationService` which has the `WorkspaceService` Also we didnt want to add further zickzack and previously it would not have been able to acquire the `ContentRepositoryAuthorizationService` without hacks in the `WorkspaceService` to evaluate permissions for `setWorkspaceTitle` or `assignWorkspaceRole`
…al by not exposing on the `WorkspaceService` They were introduce in #5306 for the pruning, but this is a purely internal task and there is no need for this to be api for the Neos User. Also, the reason is that it cannot be protected with security easily.
… of having them private
…t make sense to be extended
There was a problem hiding this comment.
Feels already a lot better with the WorkspaceService being split up and the new $roles, $userId signature in the authorisation service. Now everything is sound :) Left a few last comments and solved the nitpicks myself. After addressing those i think this can be merged finally! Thanks for sticking to this topic so long!!!
I also tested that the Neos ui still works (e2e ran locally) and adjusted it to the latest changes.
One more thing though, maybe @kitsunet wants to have a look at the things that are evaluated often and might need to be cached? See \Neos\Neos\Security\Authorization\ContentRepositoryAuthorizationService::getVisibilityConstraints? And the write side now has to fetch the node again and its workspace but i guess that is ok though could be cached too at some point ... idk :D
But giving my +1 already because of goodwill :D
| $this->userService->getCurrentUser()?->getId() | ||
| ); | ||
| if (!$workspacePermissions->manage) { | ||
| throw new AccessDeniedException(sprintf('The current user does not have manage permissions for workspace "%s" in content repository "%s"', $workspaceName->value, $contentRepositoryId->value), 1731343473); |
There was a problem hiding this comment.
should we throw the flow access denied here or the CR's \Neos\ContentRepository\Core\Feature\Security\Exception\AccessDenied like in the other methods? Probably the latter?
There was a problem hiding this comment.
the more i think about it, yes, otherwise some methods would throw the one and others another :D
| public function getWorkspaceRoleAssignments(ContentRepositoryId $contentRepositoryId, WorkspaceName $workspaceName): WorkspaceRoleAssignments | ||
| { | ||
| $table = self::TABLE_NAME_WORKSPACE_ROLE; | ||
| $query = <<<SQL | ||
| SELECT | ||
| * | ||
| FROM | ||
| {$table} | ||
| WHERE | ||
| content_repository_id = :contentRepositoryId | ||
| AND workspace_name = :workspaceName | ||
| SQL; | ||
| try { | ||
| $rows = $this->dbal->fetchAllAssociative($query, [ | ||
| 'contentRepositoryId' => $contentRepositoryId->value, | ||
| 'workspaceName' => $workspaceName->value, | ||
| ]); | ||
| } catch (DbalException $e) { | ||
| throw new \RuntimeException(sprintf('Failed to fetch workspace role assignments for workspace "%s" (Content Repository "%s"): %s', $workspaceName->value, $contentRepositoryId->value, $e->getMessage()), 1728474440, $e); | ||
| } | ||
| return WorkspaceRoleAssignments::fromArray( | ||
| array_map(static fn (array $row) => WorkspaceRoleAssignment::create( | ||
| WorkspaceRoleSubjectType::from($row['subject_type']), | ||
| WorkspaceRoleSubject::fromString($row['subject']), | ||
| WorkspaceRole::from($row['role']), | ||
| ), $rows) | ||
| ); | ||
| } | ||
|
|
||
| /** | ||
| * Determines the permission the given user has for the specified workspace {@see WorkspacePermissions} | ||
| */ | ||
| public function getWorkspacePermissionsForUser(ContentRepositoryId $contentRepositoryId, WorkspaceName $workspaceName, User $user): WorkspacePermissions | ||
| { | ||
| try { | ||
| $userRoles = array_keys($this->userService->getAllRoles($user)); | ||
| } catch (NoSuchRoleException $e) { | ||
| throw new \RuntimeException(sprintf('Failed to determine roles for user "%s", check your package dependencies: %s', $user->getId()->value, $e->getMessage()), 1727084881, $e); | ||
| } | ||
| $workspaceMetadata = $this->loadWorkspaceMetadata($contentRepositoryId, $workspaceName); | ||
| if ($workspaceMetadata !== null && $workspaceMetadata->ownerUserId !== null && $workspaceMetadata->ownerUserId->equals($user->getId())) { | ||
| return WorkspacePermissions::all(); | ||
| } | ||
| $userWorkspaceRole = $this->loadWorkspaceRoleOfUser($contentRepositoryId, $workspaceName, $user->getId(), $userRoles); | ||
| $userIsAdministrator = in_array('Neos.Neos:Administrator', $userRoles, true); | ||
| if ($userWorkspaceRole === null) { | ||
| return WorkspacePermissions::create(false, false, $userIsAdministrator); | ||
| } | ||
| return WorkspacePermissions::create( | ||
| read: $userWorkspaceRole->isAtLeast(WorkspaceRole::COLLABORATOR), | ||
| write: $userWorkspaceRole->isAtLeast(WorkspaceRole::COLLABORATOR), | ||
| manage: $userIsAdministrator || $userWorkspaceRole->isAtLeast(WorkspaceRole::MANAGER), | ||
| ); | ||
| return $this->metadataAndRoleRepository->getWorkspaceRoleAssignments($contentRepositoryId, $workspaceName); |
There was a problem hiding this comment.
now that we can make things @internal by not exposing it here on the workspace service we can consider if getWorkspaceRoleAssignments should really be API or if Neos can just use at this one place the metadataAndRoleRepository directly? ... But probably keep it api :D
There was a problem hiding this comment.
Why am i thinking about this? Because the
NOTE: This should never be used to evaluate permissions, instead {@see ContentRepositoryAuthorizationService::getWorkspacePermissions()} should be used!
Makes it already seem like an internal thing somehow :D
| /** | ||
| * @api | ||
| */ | ||
| final class AccessDenied extends \Exception |
There was a problem hiding this comment.
do we need some flow error option or anything so this is treated as flow AccessDeniedException in the parts that matter? Or does it matter at all? I do know we have some special condition sometimes to let AccessDeniedException always bubble up or something: (at least in the fusion runtime)?
| throw new \RuntimeException('No user authenticated', 1720371024); | ||
| $authenticatedAccount = $this->securityContext->getAccount(); | ||
| if ($authenticatedAccount === null) { | ||
| throw new AccessDeniedException('No user authenticated', 1720371024); |
There was a problem hiding this comment.
With the new nullability i could actually imagine to just ignore that check here and use $currentUser?->getId() like in other places ... that makes the code imo less quirky as the security part in flow is defined via yaml and not in the code.
But will do that inside of sebs workspace pr instead of messing with the workspace controller to much :D
| WorkspaceName::fromString($workspaceName), | ||
| WorkspaceTitle::fromString($newTitle), | ||
| )); | ||
| $this->getObject(SecurityContext::class)->withoutAuthorizationChecks(fn () => |
There was a problem hiding this comment.
i didnt add tests yet for these things that they work with security will try to do that in your followup pr :) For now its just withoutAuthorizationChecks :D
# Conflicts: # Neos.Neos/Classes/Command/CrCommandController.php
# Conflicts: # Neos.ContentRepository.Core/Classes/ContentRepository.php # Neos.ContentRepository.Core/Classes/Factory/ContentRepositoryFactory.php # Neos.ContentRepositoryRegistry/Classes/ContentRepositoryRegistry.php
…vileges-tests # Conflicts: # Neos.Neos/Tests/Behavior/Features/Bootstrap/WorkspaceServiceTrait.php
# Conflicts: # Neos.ContentRepository.Core/Classes/ContentRepository.php
…vileges-tests # Conflicts: # Neos.ContentRepository.TestSuite/Classes/Behavior/Features/Bootstrap/GenericCommandExecutionAndEventPublication.php
TASK: Tests for "Content Repository Privileges"
| self::$crSecurity_testingPolicyPathAndFilename = $this->getObject(Environment::class)->getPathToTemporaryDirectory() . 'Policy.yaml'; | ||
| file_put_contents(self::$crSecurity_testingPolicyPathAndFilename, Yaml::dump($mergedPolicyConfiguration)); | ||
|
|
||
| ObjectAccess::setProperty($policyService, 'initialized', false, true); | ||
| $this->getObject(ConfigurationManager::class)->flushConfigurationCache(); |
There was a problem hiding this comment.
is this latter part really needed? As we dont have sub processes we dont have to preserve the state and mess with the file system right?
... but ill look into it :)
There was a problem hiding this comment.
Without that I got more failing tests because we have so many runtime caches on all layers
... but ill look into it :)
Great, thank you. And let me know if you need support (contentually or mentally *g)
Introduces basic security to the event sourced content repository
This is a breaking change mainly because it requires a new, explicit, workspace role assignment in order for the
liveworkspace to be publicly visible:./flow workspace:assignrole live "Neos.Flow:Everybody" viewerOtherwise youll face this error:
Adjustments to
VisibilityConstraints:The method
VisibilityConstraints::frontend()was renamed toVisibilityConstraints::default().But for the cases you have used
VisibilityConstraintsat all - as mandatory argument forgetSubgraphyou can now simplify that to usegetContentSubgraphdirectly:before
after
Note that
getContentGraph(...)->getSubgraph(...)still works but is only meant to be used if your you want to determine theVisibilityConstraintsfor some case differently.Usage
Workspace Permissions
The following workspace roles exist:
VIEWER: Can read from the workspaceVIEWERto theliveworkspaceCOLLABORATOR: Can read from and write to the workspaceMANAGER: Can read from and write to the workspace and manage it (i.e. change metadata & role assignments)Furthermore, personal workspaces can be owned by a particular user. The workspace owner implicitly has the
MANAGERrole, i.e. has full access to that workspace.Note
Workspace roles are transitive. That means that
COLLABORATORhas all privileges of theVIEWERandMANAGERhas all privileges of theCOLLABORATORTo publish changes to a workspace, the authenticated user has to have at least the
VIEWERrole on the workspace to publish andCOLLABORATORrole on the target workspace.Workspace role assignments can be changed through the workspace module (WIP, see #5132) or via CLI:
ReadNodePrivilege
In general, the
ReadNodePrivilegeworks like it did before Neos 9: It allows to completely hide sub trees of the content repository from a given user group.But the implementation and configuration format has changed.
This is how a
ReadNodePrivilegecan be configured viaPolicy.yaml:The
matcherrefers to aSubtreeTag, so this example would hide all nodes that are tagged withblog(including their descendants) from all users that don't have aGRANTon that specific privilege target.Tip
By default, the privilege is active for all configured content repositories. By prefixing the matcher with
<content-repository-id>:this can be limited to a specific CR (for exampledefault:blog)EditNodePrivilege
Likewise the purpose of the
EditNodePrivilegeis like before Neos 9: To restrict certain users from changing nodes (includes creation, setting properties or references, disabling/enabling, tagging and moving, ...) in a given subtree.The new configuration syntax is similar to the one for
ReadNodePrivilege:Again, the
matcherrefers to aSubtreeTag, so this example would disallow users without a correspondingGRANTpermission to edit nodes in the subtree that is taggedblog.Note
Both privileges expect a subtree to be tagged. That is not yet possible via the Neos UI or CLI but requires interaction with the PHP API (
$contentRepository->handle(TagSubtree::create(....))) – we'll provide a way to do that, follow #3732 for updatesRemoved privilege types
The following Content Repository privilege types have been removed because their behavior was inconsistent and/or because they led to (performance) issues:
NodeTreePrivilege,CreateNodePrivilege,ReadNodePropertyPrivilege,EditNodePropertyPrivilegeWe will most probably re-add some of the functionality in a future version, but for now you can implement the AuthProviderInterface in order to enforce custom authorization requirements.
Examples
Disallow a role to edit nodes of a subtree
With the following
Policy.yaml:only administrators are allowed to edit nodes in the
blogsubtree.Note
The Neos UI does not currently properly reflect readonly nodes – The inspector will be empty and inline editable fields will be editable – but changing their content will lead to an AccessDenied exception
In order to also hide the uneditable subtree, the following can be added:
Allow a role to only edit within a given subtree
To achieve the opposite of the above, granting a user group to only edit nodes within a subtree, the whole tree must be tagged (i.e. the homepage node, all descendants will inherit the tag).
With all nodes being tagged
demositeand the blog nodes beeing taggedblogin addition, the followingPolicy.yamlwill do:With that, the administrator will be able to edit any node, but editors can only edit nodes within the
blogsubtree.Related: #3732